Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

will "deny ip" also deny ARP?

I'm creating an access list where I "deny ip" to an entire subnet. However the "...1" address on that denied subnet is my next-hop router out to the Internet. (this is the way I want it since that router is not under my control). Will I still be able to get "out" to the Internet? All two routers should need to pass traffic are the MAC & IP addresses in the ARP table, and I'm pretty sure ARP is "below" the ip layer so both routers SHOULD have each other in their ARP table. Is ARP considered part of the "deny ip"? will the untrusted router show up in my router's ARP table? I know I won't be able to PING or Telnet to that router and visa-versa, but that's OK and what I want... but traffic that does not have a source or destination IP of the router's subnet should be able to pass, right?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Gold

Re: will "deny ip" also deny ARP?

Yes, arp is not ip. Moreover, is not routable and not controllable with acl's.

If you have an interface on an untrusted network, you can disable arp and use static entries for trusted peers. They will need to do the same with your router.

Hope this helps, please rate post if it does!

1 REPLY
Hall of Fame Super Gold

Re: will "deny ip" also deny ARP?

Yes, arp is not ip. Moreover, is not routable and not controllable with acl's.

If you have an interface on an untrusted network, you can disable arp and use static entries for trusted peers. They will need to do the same with your router.

Hope this helps, please rate post if it does!

112
Views
0
Helpful
1
Replies
CreatePlease to create content