Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Interesting new spam technique - getting a lot more popular.

  • From: Lincoln Dale
  • Date: Wed Jun 14 08:05:21 2006

> is it really that hard to make your foudry/extreme/cisco l3 switch vlan
> and subnet??? Is this a education thing or a laziness thing? Is this
> perhaps covered in a 'bcp' (not even an official IETF thing, just a
> hosters bible sort of thing) ?

Subnets aren't exactly good for address space usage.

For Cisco kit, there are numerous nerd knobs that can be deployed that would
seemingly mitigate this spam technique.

In short, IP Source Guard ("stop malicious people from using IP addresses
that weren't assigned to them"), Port Security ("limit # of mac addresses on
a given port to X") and Dynamic ARP Inspection ("discard bogus arp
packets").

Combined with things like Private VLANs (allow different customers to share
the same subnet but restrict them being able to talk/see one another), there
are ways of securing things.

Of course, just like everything its up to folks to deploy them.  Many of
these knobs aren't safe or practical for "default" settings.

I'm sure other vendors have similar features also.

Yes, these have been presented on numerous times within Cisco forums (e.g.
Networkers) as best practice & are typically very well attended.
Not necessarily by the all the folk that need to, I guess. :(


cheers,

lincoln.





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.