How to "freeze" arp table for given interface?

hramtsov · ‎04-11-2004

Good day,

I want to increase security on one of my LAN and want to "freeze" arp table for appropriate vlan interface on L3 switch (CAT 3550, IOS 12.1).

I.e. I want only static arp records will take place for given vlan.

I tried "no arp arpa" for vlan interface but without success - dynamic arp records still appears and used.

Is it possible to secure vlan the way I want?

Best regards,

Dmitry N. Hramtsov

milan.kulik · ‎04-14-2004

Hi,

just an idea:

What about

arp timeout 0

on the proper interfaces?

See http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12119ea1/3550scg/swiprout.htm#1031288

for details.

Regards,

Milan

hramtsov · ‎04-14-2004

Hello Milan,

Thank you for your answer, but unfortunately "arp timeout" works only when arp is on. So it is impossible to configure "arp timeout 0" and "no arp arpa" at the same time.

And if I turn arp on, "arp timeout" is not become a problem for malefactor - he/she still can take any IP on any MAC.

So, it looks like we need something else.

Cisco guru, please answer is it theoretically possible to secure arp table on catalysts?

Best regards,

Dmitry N. Hramtsov

gusortiz · ‎04-19-2004

Dmitry

AFAIK there is not way to accomplish what you are trying to do here. You can also check the RFC that talks about ARP. I think that using static arp entries for this router and disabling proxy-arp might be a workaround for this. Another thinking in my head right now is to use DHCP's manual bindings and you can specify which MAC addresses are trusted and assing the correct ip address for that interface; MAC address not entered in that mode simply are not going to be assigned.

Here is some information about proxy-arp

Proxy ARP

http://www.cisco.com/warp/public/105/5.html

regarts

Gus Ortiz