On Jun 4, 2009, at 4:31 PM, Peter Rathlev wrote:
On Thu, 2009-06-04 at 15:39 -0700, Cord MacLeod wrote:
Would it be a reasonable solution to static arp a gateway on a cisco
L3 switch to prevent a user from taking over the gateway? So
assuming
you have HSRP running on 2 layer 3 switches and they share a gateway
of 10.0.0.1 with switch one's address being 10.0.0.2 and two's
address
being 10.0.0.3 would it be reasonable to static arp each of these
addresses to each switch?
I'd say there's always a better way than static configuration.
I'm not sure exactly what the scenario is, but if you're talking about
simple L2 switches with a L3 interface for management, just keep the
L3
termination away from user VLANs.
A bunch of L2 switches connected to two L3 switches.
If you're talking about two L3 switches with a configuration like:
! *** A ***
interface Vlan2
ip address 10.0.0.2 255.255.255.0
standby ip 10.0.0.1
!
! *** B ***
interface Vlan2
ip address 10.0.0.3 255.255.255.0
standby ip 10.0.0.1
!
Essentially, yes.
And then if you should configure each with a static ARP entry mapping
10.0.0.1 to 0000.0c07.ac00, then this would only "protect" each of
these
two switches, not any hosts on the network. And the switches would
often
have their own uplink(s), rarely needing to send traffic to the
"gateway" address.
I only want to protect the switches. I don't want anyone stealing
their ip addresses or the hrsp gateway addresses.
Have you looked at Dynamic Arp Inspection?
Wish I could use this. Unfortunately, I can't. We use LVS, which is
a linux load balancer. This does use a VIP, but not a virtual mac
address. Therefore when there's a failover, the switch ignores the
new mac address with DAI, found this out the hard way on my Juniper
switches, which have DAI enabled by default.
Regards,
Peter
_______________________________________________
cisco-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
