cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
389
Views
0
Helpful
1
Replies

arp $ security

admin_2
Level 3
Level 3

Hi! I have this scheme with catalyst switches.

client1-2950(1)-3550(1)-3550(2)-2950(2)-client2,3

client1 ip - 192.168.1.2 netmask 255.255.255.0 default 192.168.1.1

client2 ip - 192.168.1.3 netmask 255.255.255.0 default 192.168.1.1

client3 ip - 192.168.2.2 netmask 255.255.255.0 default 192.168.2.1

----------------------------

2950(1)

interface FastEthernet0/1

description 3550(1)

switchport mode trunk

no ip address

!

interface FastEthernet0/2

description client1

switchport access vlan 10

switchport mode access

no ip address

----------------------------

2950(2)

interface FastEthernet0/1

description 3550(2)

switchport mode trunk

no ip address

!

interface FastEthernet0/2

description client2

switchport access vlan 20

switchport mode access

no ip address

interface FastEthernet0/3

description client3

switchport access vlan 30

switchport mode access

no ip address

----------------------------

3550(1)

interface FastEthernet0/1

description 3550(2)

switchport mode trunk

no ip address

!

interface FastEthernet0/2

description 2950(1)

switchport mode trunk

no ip address

----------------------------

3550(2)

interface FastEthernet0/1

description 3550(1)

switchport mode trunk

no ip address

!

interface FastEthernet0/2

description 2950(2)

switchport mode trunk

no ip address

interface Vlan100

ip address 192.168.1.1 255.255.255.0

interface Vlan10

ip address 10.1.1.1 255.255.255.0

ip access-group 10 in

interface Vlan20

ip address 10.1.2.1 255.255.255.0

ip access-group 20 in

interface Vlan30

ip address 192.168.2.1 255.255.255.0

ip access-group 30 in

ip route 192.168.1.2 255.255.255.255 Vlan10

ip route 192.168.1.3 255.255.255.255 Vlan20

access-list 10 permit 192.168.1.2

access-list 20 permit 192.168.1.3

access-list 30 permit 192.168.2.2

----------------------------

client1 communicate with client2 over layer3 only through proxy-arp

Work with other addresses for clients is forbidden by access-list 10,20,30 and ip route command

Is safe to use proxy arp in this case? What hacks are possible from client1 (DoS attack or something another)?

1 Reply 1

owillins
Level 6
Level 6

Proxy arp can be used in 'spoofing' attacks, where a machine can claim to be another in order to intercept packets. If the host is an internal user that can be trusted, I don't think proxy arp could cause an issue. Here is a document on how proxy arp works. Thought it would be of some help.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml

Review Cisco Networking for a $25 gift card