RE: Arp Security

From: Antonio Soares (amsoares@netcabo.pt)
Date: Fri Jun 29 2007 - 15:19:43 ART

• Next message: Derek Pocoroba: "IEWB v4.1 LAB 18 Physical topology/connection problem"
• Previous message: Jason Guy \(jguy\): "RE: More R&S Strategy"
• Maybe in reply to: Eric Dobyns: "Arp Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thank you for the link.

I was not very confortable with this Feature so i decided to test it.

Here's my config with some comments:

++++++++++++++++++++++++++++++++++
!
ip arp inspection vlan 100
!
ip arp inspection filter ARP_ACL vlan 100
!
interface GigabitEthernet0/1 <---------- R1 IP Address DHCP
 switchport access vlan 100
 switchport mode access
 ip arp inspection trust
!
interface GigabitEthernet0/2 <---------- R2 Static IP
 switchport access vlan 100
 switchport mode access
!
interface GigabitEthernet0/3 <---------- R3 Static IP
 switchport access vlan 100
 switchport mode access
!
interface GigabitEthernet0/6 <---------- R6 DHCP Server
 switchport access vlan 100
 switchport mode access
 ip arp inspection trust
!
interface GigabitEthernet0/13 <--------- Trunk to SW2
 switchport mode dynamic desirable
 ip arp inspection trust
!
interface GigabitEthernet0/14 <--------- Trunk to SW2
 switchport mode dynamic desirable
 ip arp inspection trust
!
interface GigabitEthernet0/15 <--------- Trunk to SW2
 switchport mode dynamic desirable
 ip arp inspection trust
!
arp access-list ARP_ACL
 permit ip host 10.10.10.2 mac host 0000.2222.2222 <-------- R2
 permit ip host 10.10.10.3 mac host 0000.3333.3333 <-------- R3
!
++++++++++++++++++++++++++++++++++

I have full reachability between R1-R2-R3-R6.

I wouldn't choose this Feature to answer the question you mentioned.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Eric
Dobyns
Sent: sexta-feira, 29 de Junho de 2007 16:05
To: 'Antonio Soares'; ccielab@groupstudy.com
Subject: RE: Arp Security

Dynamic Arp Inspection:
http://cisco.com/en/US/products/hw/switches/ps5528/products_configuration_gu
ide_chapter09186a00805b56de.html

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Antonio Soares
Sent: Thursday, June 28, 2007 12:05 PM
To: 'Eric Dobyns'; ccielab@groupstudy.com
Subject: RE: Arp Security

It comes to my mind a conjunction of two commands: "update arp" and "arp
authorized"

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hiad_c
/ch10/hipdhcpa.htm

And don't forget to statically map your routers :)

I didn't find any "ip arp inspection" command...

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Eric
Dobyns
Sent: quinta-feira, 28 de Junho de 2007 17:30
To: ccielab@groupstudy.com
Subject: Arp Security

If I were setting up a dhcp server on a router and wanted to make sure ARP
entries were secure, would I use 'ip arp inspection' on the interface
handling the requests?

• Next message: Derek Pocoroba: "IEWB v4.1 LAB 18 Physical topology/connection problem"
• Previous message: Jason Guy \(jguy\): "RE: More R&S Strategy"
• Maybe in reply to: Eric Dobyns: "Arp Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:53 ART