Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

arp $ security

Hi! I have this scheme with catalyst switches.

client1-2950(1)-3550(1)-3550(2)-2950(2)-client2,3

client1 ip - 192.168.1.2 netmask 255.255.255.0 default 192.168.1.1

client2 ip - 192.168.1.3 netmask 255.255.255.0 default 192.168.1.1

client3 ip - 192.168.2.2 netmask 255.255.255.0 default 192.168.2.1

----------------------------

2950(1)

interface FastEthernet0/1

description 3550(1)

switchport mode trunk

no ip address

!

interface FastEthernet0/2

description client1

switchport access vlan 10

switchport mode access

no ip address

----------------------------

2950(2)

interface FastEthernet0/1

description 3550(2)

switchport mode trunk

no ip address

!

interface FastEthernet0/2

description client2

switchport access vlan 20

switchport mode access

no ip address

interface FastEthernet0/3

description client3

switchport access vlan 30

switchport mode access

no ip address

----------------------------

3550(1)

interface FastEthernet0/1

description 3550(2)

switchport mode trunk

no ip address

!

interface FastEthernet0/2

description 2950(1)

switchport mode trunk

no ip address

----------------------------

3550(2)

interface FastEthernet0/1

description 3550(1)

switchport mode trunk

no ip address

!

interface FastEthernet0/2

description 2950(2)

switchport mode trunk

no ip address

interface Vlan100

ip address 192.168.1.1 255.255.255.0

interface Vlan10

ip address 10.1.1.1 255.255.255.0

ip access-group 10 in

interface Vlan20

ip address 10.1.2.1 255.255.255.0

ip access-group 20 in

interface Vlan30

ip address 192.168.2.1 255.255.255.0

ip access-group 30 in

ip route 192.168.1.2 255.255.255.255 Vlan10

ip route 192.168.1.3 255.255.255.255 Vlan20

access-list 10 permit 192.168.1.2

access-list 20 permit 192.168.1.3

access-list 30 permit 192.168.2.2

----------------------------

client1 communicate with client2 over layer3 only through proxy-arp

Work with other addresses for clients is forbidden by access-list 10,20,30 and ip route command

Is safe to use proxy arp in this case? What hacks are possible from client1 (DoS attack or something another)?

1 REPLY
Silver

Re: arp $ security

Proxy arp can be used in 'spoofing' attacks, where a machine can claim to be another in order to intercept packets. If the host is an internal user that can be trusted, I don't think proxy arp could cause an issue. Here is a document on how proxy arp works. Thought it would be of some help.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

269
Views
0
Helpful
1
Replies