North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: Interesting new spam technique - getting a lot more popular.
> is it really that hard to make your foudry/extreme/cisco l3 switch vlan > and subnet??? Is this a education thing or a laziness thing? Is this > perhaps covered in a 'bcp' (not even an official IETF thing, just a > hosters bible sort of thing) ? Subnets aren't exactly good for address space usage. For Cisco kit, there are numerous nerd knobs that can be deployed that would seemingly mitigate this spam technique. In short, IP Source Guard ("stop malicious people from using IP addresses that weren't assigned to them"), Port Security ("limit # of mac addresses on a given port to X") and Dynamic ARP Inspection ("discard bogus arp packets"). Combined with things like Private VLANs (allow different customers to share the same subnet but restrict them being able to talk/see one another), there are ways of securing things. Of course, just like everything its up to folks to deploy them. Many of these knobs aren't safe or practical for "default" settings. I'm sure other vendors have similar features also. Yes, these have been presented on numerous times within Cisco forums (e.g. Networkers) as best practice & are typically very well attended. Not necessarily by the all the folk that need to, I guess. :( cheers, lincoln.