From: Tim Fletcher (tim@fletchmail.net)
Date: Thu Dec 12 2002 - 18:11:45 GMT-3
Your solution will not disable dynamic ARP. It will only allow 1 MAC
address in the switch table, but that's not the same as the ARP cache.
So a device on that port with the correct MAC address could still respond
to an ARP request with a different IP address (or even send gratuitous
ARPs).
There are 2 problems with the ARP solution. The 1st is that it would only
affect traffic originated by or L3 switched by the switch. Any layer 2
traffic does not use the ARP cache.
The second is that it just wouldn't work. Lets use your example below to
illustrate. Lets put a device on fa0/1 with a MAC address of
AAAA.BBBB.CCCC and an IP address of 10.10.10.11, and try to ping it. Since
we don't have any entry in the ARP cache for 10.10.10.11 (actually we
probably would because of gratuitous ARPS), so we do an ARP request. The
10.10.10.11 would respond with it's MAC address, which would be entered in
our ARP cache, and the ping would be successful.
Remember that we can only have one MAC address per IP address in the ARP
cache, but multiple IP addresses can point to the same MAC address.
-tim fletcher
On Thu, 12 Dec 2002, Robert Slaski wrote:
> Adam Crisp wrote:
> > vlan acl then, but the ip access-list is the best way (but not allowed!)
> >
>
> Well, an idea has come and hit me straight in me head ;-)
> Of course static ARP will work, but you have to _disable dynamic ARPs_
> on this interface as well.
>
> So here is the complete solution:
> (config)# arp 10.10.10.10 AAAA.BBBB.CCCC arpa
> (config)# int fa0/1
> (config-if)# no arp arpa
> (config-if)# switchport port-security
> (config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
> (config-if)# switchport port-security maximum 1
>
> mikrobi,
.
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:44 GMT-3