Posted on April 18, 2019 6:00 pm
 |  Asked by David
 |  111 views
0
0
Print Friendly, PDF & Email

Curious if there’s a method to cache a negative response to an ARP from a 7280SR2 acting as first hop gateway (w/varp if it matters)? We have public-facing deployments, using large address blocks, that are constantly being scanned by script kiddies and it’s generating tens of thousands of arp requests per second for the not-in-use addresses, over and over. I was hoping to be able to cache the fact that a failed arp occurred, so the switch doesn’t try it again for some period of time, such as a five or ten minutes. Thanks

0
Posted by Alexis Dacquay
Answered on August 13, 2020 2:55 pm

Hi David,

 

What about putting in place MAC ACL, where you would filter the source MAC that originated the ARP request?

When the ACL drops the ARP request, it would obviously not be responded to. It will not even reach the CPU, it will be blocked in hardware at entry.

Is that a Layer2 hosting/CoLo environment?

You can also consider:

  • MAC Security (limit the amount of legitimate MAC addresses per port)
  • Storm control (limit the broadcast and unknown unicast to very low percentage)

You can tune the Control-plane ACL and control-plane policy to restrict more specifically the allowed sources of traffic.

 

If you do want the ARP requests to reach the CPU for validity check, the you may consider:

https://eos.arista.com/eos-4-15-0f/static-arp-inspection/

 

 

Regards,

Alexis

 

Post your Answer

You must be logged in to post an answer.