Blocking selected ARP broadcasts from particular Trunk port via DAI
We had a core switch (Cisco 4503), distribution switches(Cisco 3750) and access switches in our network and consists of many vlans. Almost all vlans uses DHCP Pools. But for few vlans DHCP is not yet configured due to initial design poblems. Recently one of the rogue user in vlan 1 connected to one of the access switch send rogue arp packets to the network (suspecting arp packet with interface vlan 1 ip of core switch with wrong mac-address (gateway ip of vlan 1)) and resulted in a prolonged network outage for the vlan 1. Any way we are going to seggregate vlan 1 into different vlans, but before that we need a temporary plan to block such kinds of attack like enabling DAI in the switch. I have checked the DAI implemenation feasibility with my knowledge and found that it is not possible to configure to the access switches(Cisco 2960) in which the user directly connected. But found that Distribution switch connected to that particular access switch seems to be able to configure since DAI commands are available to configure in switch.
Is it possible to block ARP packets with the interface vlan 1 IP Address with rogue mac-address by configuring DAI in the above mentioned Distribution switch and the port connected to the mentioned access switch?
Any suggetions and advices are highly appreciable.
Actually the interface vlan 1 ip of core switch is 192.168.1.15 and all machines in the vlan 1 configured the gateway as vlan 1 interface ip. From one of the access switch an interface fastE 0/24 is connected to outside (Family Quarters location) for restricted Corporate Access. Recently we experienced a serious outage of devices in Vlan 1 and resolved only after shutting down of the interface 0/24 of that access switch. We found which was due to the ARP cache poisoning of machines because during that timethe mac-address table of vlan 1 machines(found that wrong mac-address binded in the vlan 1 machines arp table instead of HSRP gateway mac-address).
Is there any possibility to implement DAI to block such kinds of broadcasts to Corporate network only in Vlan 1?
New Cisco Champion Radio release on Cisco Smart Building SolutionsListen: https://smarturl.it/CCRS8E16Follow us: https://twitter.com/CiscoChampion Now more than ever, sustainable and flexible building designs are at the forefront of every develo...
DRAFT -- THIS DOCUMENT IS STILL IN DRAFT FORM
MACsec is IEEE standard 802.1AE. It was developed by the IEEE to compliment the 802.1X-2004 standard. MACsec was developed to allow authorized systems to connect and then encrypt data that is transmitt...
Today I'm going to talk about SD-wan including SD-WAN advanced lab ,, first thing let's take a small brief about the SD_WAN. What is SD-WAN? SD-WAN is Software define wide area network and SD-WAN is key part of the technology o...
Leopold Fisher, Cisco Meraki IoT specialist, will introduce you to new and innovative additions to the Meraki portfolio coming in April 2021.
Meraki Vision Session
MV smart camera range is getting big...
Ask questions from Wednesday, April 14 to Tuesday, April 27, 2021.
To participate in this event, please use the button to ask your questions
Dynamic Routing Protocols & IPv6
Have any questions on dynamic routing protocols with IPv6?
In this eve...