From: Howard C. Berkowitz (hcb@gettcomm.com)
Date: Sat Feb 14 2004 - 16:58:23 GMT-3
At 2:32 PM -0500 2/14/04, Scott Morris wrote:
>Part of your difficulty with that is when does your switch use the ARP
>table? It certainly isn't going to use it for normal switching (that's the
>cam table, or mac-address table). So, the static ARP only works if
>communication must go through an SVI port on the 3550 (where it is actually
>looking at L3 stuff).
>
>I think that was the entertaining part of the discussions when this came
>about the last time.
>
>In and of itself, I think there would be some context issues that we are
>missing here. Port security does well for keeping a MAC address to a port,
>but again doesn't touch IP.
>
>I think we would need to see how the rest of the scenario was really laid
>out to make the best decision about that. Perhaps a VACL is what we are
>looking for here. That can use L3 and L2 information even during "switched"
>transactions instead of just on routed packets.
>
>But yes, watch your paths 'n' such. :) Look at the whole picture!
Along those lines, Neill Craven pointed out a security hole in the
paths (first observed on the Cat 5K series with multilayer) that
cache a MAC address and use it as always-equivalent to an IP address.
Associating ports with MAC addresses closes the hole of someone
taking the NIC from a machine that is permitted through an IP access
list, and moving it to another machine where the same MAC address is
still permitted through the access list (with, of course, spoofing
the source IP address of the original machine).
This archive was generated by hypermail 2.1.4 : Fri Mar 05 2004 - 07:13:49 GMT-3