From: Erick B. (erickbe@xxxxxxxxx)
Date: Sat Aug 10 2002 - 13:26:00 GMT-3
If you have a 6500, perhaps VACLs could be of some
use. Deny inbound traffic from the IP address of the
default gateway. I haven't tested this yet so I'm not
sure if this would work. Theres also private VLANs and
you could maybe put those to use to protect your
server farm from rogue machines with duplicate IP.
If they had a protocol based VLAN where IP ranges x
through y got dynamically assigned to the VLAN then
you could just exclude the default gateway in the
range to be a member of the VLAN.
--- Colin Barber <Colin.Barber@telewest.co.uk> wrote:
> The devices in question are servers not client
> machines therefore they don't
> all run a login script.
>
> I guess static arps are the only way, however it
> relies on the different
> system administrators to perform the task correctly.
> I was hoping to achieve
> a solution using the router/switch. That way it
> doesn't matter what the
> administrators do they will not cause problems.
>
> Colin.
>
> -----Original Message-----
> From: Hansang Bae [mailto:hbae@nyc.rr.com]
> Sent: 10 August 2002 15:55
> To: ccielab@groupstudy.com
> Subject: RE: OT: Protecting default gateway ip
> address
>
>
> At 12:49 PM 8/10/2002 +0100, Colin Barber wrote:
> >I have been trying some things out this morning and
> yes there does not seem
> >to be any way to stop arp responses for a certain
> ip address.
> >The only thing I can see in the documentation is
> within vlan security you
> >can stop arp for the whole vlan, which is not a
> workable solution in this
> >case.
>
>
>
> Only way to do it is to define a static arp entry
> for everyone. Not really
> that big of a deal since you can use the login
> script to chage it at will.
>
> hsb
>
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:22 GMT-3