From: Robert Slaski (robin@atm.com.pl)
Date: Thu Dec 12 2002 - 18:34:12 GMT-3
Tim Fletcher wrote:
> Your solution will not disable dynamic ARP.
Of course, it will, watch 'no arp arpa'.
> It will only allow 1 MAC
> address in the switch table, but that's not the same as the ARP cache.
> So a device on that port with the correct MAC address could still respond
> to an ARP request with a different IP address (or even send gratuitous
> ARPs).
> There are 2 problems with the ARP solution. The 1st is that it would only
> affect traffic originated by or L3 switched by the switch. Any layer 2
> traffic does not use the ARP cache.
That's what I have replied to Adam. This will work only when we cross
the routing process from another VLAN or we're pinging from the switch
itself. It won't work in the same VLAN, that's what I have written
earlier. As we cannot use access-lists, there are only two solutions:
ARP method and vlan-maps method.
> The second is that it just wouldn't work. Lets use your example below to
> illustrate. Lets put a device on fa0/1 with a MAC address of
> AAAA.BBBB.CCCC and an IP address of 10.10.10.11, and try to ping it. Since
> we don't have any entry in the ARP cache for 10.10.10.11 (actually we
> probably would because of gratuitous ARPS), so we do an ARP request. The
> 10.10.10.11 would respond with it's MAC address, which would be entered in
> our ARP cache, and the ping would be successful.
When any kind of ARP is disabled (by default only ARPA is enabled and
we've just disabled this only one with 'no arp arpa') no ARP requests
will be sent and no ARP responses (even unsolicited, spoofed or
gratuitous) we'll be put in ARP cache. All this occurs per interface
(fa0/1 in this case).
> Remember that we can only have one MAC address per IP address in the ARP
> cache, but multiple IP addresses can point to the same MAC address.
>
That's why I have proposed ARP method to prevent this.
mikrobi,
-- .
This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:44 GMT-3