RE: Interesting new spam technique - getting a lot more popular.

["Lincoln Dale" <ltd () interlink com au>]

> is it really that hard to make your foudry/extreme/cisco l3 switch vlan
> and subnet??? Is this a education thing or a laziness thing? Is this
> perhaps covered in a 'bcp' (not even an official IETF thing, just a
> hosters bible sort of thing) ?

Subnets aren't exactly good for address space usage.

For Cisco kit, there are numerous nerd knobs that can be deployed that would
seemingly mitigate this spam technique.

In short, IP Source Guard ("stop malicious people from using IP addresses
that weren't assigned to them"), Port Security ("limit # of mac addresses on
a given port to X") and Dynamic ARP Inspection ("discard bogus arp
packets").

Combined with things like Private VLANs (allow different customers to share
the same subnet but restrict them being able to talk/see one another), there
are ways of securing things.

Of course, just like everything its up to folks to deploy them.  Many of
these knobs aren't safe or practical for "default" settings.

I'm sure other vendors have similar features also.

Yes, these have been presented on numerous times within Cisco forums (e.g.
Networkers) as best practice & are typically very well attended.
Not necessarily by the all the folk that need to, I guess. :(


cheers,

lincoln.