03-21-2004 10:43 AM - edited 03-02-2019 02:26 PM
Hi! I have this scheme with catalyst switches.
client1-2950(1)-3550(1)-3550(2)-2950(2)-client2,3
client1 ip - 192.168.1.2 netmask 255.255.255.0 default 192.168.1.1
client2 ip - 192.168.1.3 netmask 255.255.255.0 default 192.168.1.1
client3 ip - 192.168.2.2 netmask 255.255.255.0 default 192.168.2.1
----------------------------
2950(1)
interface FastEthernet0/1
description 3550(1)
switchport mode trunk
no ip address
!
interface FastEthernet0/2
description client1
switchport access vlan 10
switchport mode access
no ip address
----------------------------
2950(2)
interface FastEthernet0/1
description 3550(2)
switchport mode trunk
no ip address
!
interface FastEthernet0/2
description client2
switchport access vlan 20
switchport mode access
no ip address
interface FastEthernet0/3
description client3
switchport access vlan 30
switchport mode access
no ip address
----------------------------
3550(1)
interface FastEthernet0/1
description 3550(2)
switchport mode trunk
no ip address
!
interface FastEthernet0/2
description 2950(1)
switchport mode trunk
no ip address
----------------------------
3550(2)
interface FastEthernet0/1
description 3550(1)
switchport mode trunk
no ip address
!
interface FastEthernet0/2
description 2950(2)
switchport mode trunk
no ip address
interface Vlan100
ip address 192.168.1.1 255.255.255.0
interface Vlan10
ip address 10.1.1.1 255.255.255.0
ip access-group 10 in
interface Vlan20
ip address 10.1.2.1 255.255.255.0
ip access-group 20 in
interface Vlan30
ip address 192.168.2.1 255.255.255.0
ip access-group 30 in
ip route 192.168.1.2 255.255.255.255 Vlan10
ip route 192.168.1.3 255.255.255.255 Vlan20
access-list 10 permit 192.168.1.2
access-list 20 permit 192.168.1.3
access-list 30 permit 192.168.2.2
----------------------------
client1 communicate with client2 over layer3 only through proxy-arp
Work with other addresses for clients is forbidden by access-list 10,20,30 and ip route command
Is safe to use proxy arp in this case? What hacks are possible from client1 (DoS attack or something another)?
03-26-2004 08:02 AM
Proxy arp can be used in 'spoofing' attacks, where a machine can claim to be another in order to intercept packets. If the host is an internal user that can be trusted, I don't think proxy arp could cause an issue. Here is a document on how proxy arp works. Thought it would be of some help.
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094adb.shtml
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide