cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
0
Helpful
3
Replies

How to "freeze" arp table for given interface?

hramtsov
Level 1
Level 1

Good day,

I want to increase security on one of my LAN and want to "freeze" arp table for appropriate vlan interface on L3 switch (CAT 3550, IOS 12.1).

I.e. I want only static arp records will take place for given vlan.

I tried "no arp arpa" for vlan interface but without success - dynamic arp records still appears and used.

Is it possible to secure vlan the way I want?

Best regards,

Dmitry N. Hramtsov

3 Replies 3

milan.kulik
Level 10
Level 10

Hi,

just an idea:

What about

arp timeout 0

on the proper interfaces?

See http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/3550scg/swiprout.htm#1031288

for details.

Regards,

Milan

Hello Milan,

Thank you for your answer, but unfortunately "arp timeout" works only when arp is on. So it is impossible to configure "arp timeout 0" and "no arp arpa" at the same time.

And if I turn arp on, "arp timeout" is not become a problem for malefactor - he/she still can take any IP on any MAC.

So, it looks like we need something else.

Cisco guru, please answer is it theoretically possible to secure arp table on catalysts?

Best regards,

Dmitry N. Hramtsov

gusortiz
Level 1
Level 1

Dmitry

AFAIK there is not way to accomplish what you are trying to do here. You can also check the RFC that talks about ARP. I think that using static arp entries for this router and disabling proxy-arp might be a workaround for this. Another thinking in my head right now is to use DHCP's manual bindings and you can specify which MAC addresses are trusted and assing the correct ip address for that interface; MAC address not entered in that mode simply are not going to be assigned.

Here is some information about proxy-arp

Proxy ARP

http://www.cisco.com/warp/public/105/5.html

regarts

Gus Ortiz