|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Guest
|
 Posted: Fri Feb 22, 2008 1:18 pm Post subject: Block arp packets on Catalyst switch |
 |
|
Hi,
I'm trying to completely block arp packets per port.
if not possible on a port, then blocking arp packets on a vlan would
help as well.
I know all I'm going to get in replies is people telling me why I
shouldn't do this, how my switch will implode, how I will upset the
balance of nature,
and asking me WHY I would do such a silly thing, and what an idiot I
am for wanting to do this.
So I will explain myself...
I am going to be setting up some automation to configure some devices,
each and every device has the same IP address.
meaning I can only configure one at a time.
UNLESS..
I block all arp traffic, so the switch is unaware of duplicate IP
addresses.
I create a static arp table, artificially making each MAC a different
IP address to the swtich.
then I can configure each device as if it was a unique iP address.
since traffic on a local LAN is layer 2 anyway. this should work.
So... I this is a VERY BAD IDEA on a production LAN,
this is for a lab, this is not a production LAN,
this will not be used for regular LAN traffic.
I know this will make the switch not work for regular traffic.
I just want to know how to block all arp traffic on a port or vlan
(preferrably port)
Thanks,
Chris Toews |
|
| Back to top |
|
 |
|
|
Rick Jones
Guest
|
| Posted: Fri Feb 22, 2008 6:18 pm Post subject: Re: Block arp packets on Catalyst switch |
|
|
In comp.protocols.tcp-ip cdtoews.spam@gmail.com wrote:
| Quote: | I am going to be setting up some automation to configure some
devices, each and every device has the same IP address. meaning I
can only configure one at a time. UNLESS..
I block all arp traffic, so the switch is unaware of duplicate IP
addresses.
I create a static arp table, artificially making each MAC a different
IP address to the swtich.
then I can configure each device as if it was a unique iP address.
since traffic on a local LAN is layer 2 anyway. this should work.
|
Since a switch is layer 2 anyway, I don't think it would particularly
care about IP addresses in the first place. Now, the systems
_themselves_ might care about the duplicate IP addresses, but I don't
think the switch will care one bit.
rick jones
--
The computing industry isn't as much a game of "Follow The Leader" as
it is one of "Ring Around the Rosy" or perhaps "Duck Duck Goose."
- Rick Jones
these opinions are mine, all mine; HP might not want them anyway... 
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH... |
|
| Back to top |
|
|
Barry Margolin
Guest
|
| Posted: Fri Feb 22, 2008 7:52 pm Post subject: Re: Block arp packets on Catalyst switch |
|
|
In article
<9c73ae2a-d70d-42f8-8186-c4f798a61471@n58g2000hsf.googlegroups.com>,
cdtoews.spam@gmail.com wrote:
| Quote: | Hi,
I'm trying to completely block arp packets per port.
if not possible on a port, then blocking arp packets on a vlan would
help as well.
I know all I'm going to get in replies is people telling me why I
shouldn't do this, how my switch will implode, how I will upset the
balance of nature,
and asking me WHY I would do such a silly thing, and what an idiot I
am for wanting to do this.
So I will explain myself...
I am going to be setting up some automation to configure some devices,
each and every device has the same IP address.
meaning I can only configure one at a time.
UNLESS..
I block all arp traffic, so the switch is unaware of duplicate IP
addresses.
I create a static arp table, artificially making each MAC a different
IP address to the swtich.
then I can configure each device as if it was a unique iP address.
since traffic on a local LAN is layer 2 anyway. this should work.
|
The NICs will accept the packets, but the IP stacks in the devices will
ignore them because they don't have the correct destination IP
addresses. Will they be running in promiscuous mode?
And when the devices reply, the source addresses won't match the
original destination addresses.
| Quote: |
So... I this is a VERY BAD IDEA on a production LAN,
this is for a lab, this is not a production LAN,
this will not be used for regular LAN traffic.
I know this will make the switch not work for regular traffic.
I just want to know how to block all arp traffic on a port or vlan
(preferrably port)
|
If you'll be configuring static ARP tables then you don't need to block
ARP, because no one will be sending them.
--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group *** |
|
| Back to top |
|
|
David Tiktin
Guest
|
| Posted: Fri Feb 22, 2008 11:11 pm Post subject: Re: Block arp packets on Catalyst switch |
|
|
On 22 Feb 2008, cdtoews.spam@gmail.com wrote:
| Quote: | I am going to be setting up some automation to configure some
devices, each and every device has the same IP address.
meaning I can only configure one at a time.
|
I have pretty much the same situation. One idea is to use UDP
packets sent to the local subnet broadcast address. Every device
will receive every message. Each message can contain an identifier
of the station it is meant for and only that station processes that
message. (That's the way multidrop systems typically work.) The
devices must also include the identifier (or a message ID) in any
reply to the server so it can keep the sessions straight. The
identifier could be the device's MAC address.
This could also work using 2 IP multicast addresses, one for each
direction, again with internal identifiers.
Of course quite a bit depends on the type of devices you have and
their capabilities. Do your devices have fairly complete network
support? If the devices and your configuration server platform
support raw ethernet sockets, you can just use a different ethernet
protocol ID and address the devices directly by MAC address. But
such a scheme pretty much rules out using the standard tools I have
available like TFTP, so that's not what I do. I just configure the
devices one at a time (there aren't *that* many), and the script
clears the ARP cache on the configuration server after each is
completed.
I'm hoping someone suggests a clever solution to this problem.
Dave
--
D.a.v.i.d T.i.k.t.i.n
t.i.k.t.i.n [at] a.d.v.a.n.c.e.d.r.e.l.a.y [dot] c.o.m |
|
| Back to top |
|
|
|
|
