hijacking the gateway address on a Cisco Nexus switch.

network_geek1979 · ‎05-16-2022

Team,

Are there any security configurations that can be done on a Cisco switch that will prevent a VM hosted on an internal network from hijacking the Gateway IP assigned to the VLAN on the switch?

Thanks!

N.

MHM Cisco World · ‎05-16-2022

Yes ARP inception.

the ARP inception check if VM host send GARP to other HOST inform all that I am new GW, the SW will drop this packet and prevent this case.

network_geek1979 · ‎05-16-2022

Hi MHM, sorry that I missed adding that this is a Cisco Nexus switch.

Will this still work?

MHM Cisco World · ‎05-16-2022

Yes sure

what nexus you have nexus 3000 or 5000?

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/security/503_n1_1/b_Cisco_n5k_security_config_gd_rel_503_n1_1/Cisco_n5k_security_config_gd_rel_503_n1_1_chapter9.html

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus3000/sw/security/503_u2_2/b_Cisco_n3k_security_cg_503_u2_2/b_Cisco_n3k_security_cg_503_u2_2_chapter_01011.html

network_geek1979 · ‎05-17-2022

Hi MHM,
This is a Nexus 7000 in vPC.

Thanks.

MHM Cisco World · ‎05-17-2022

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/4_1/nx-os/security/configuration/guide/sec_nx-os-cfg/sec_arpinspect.html