Hi,
On Sat, Mar 26, 2011 at 03:51:02PM -0400, ML wrote:
> If the Host under attack doesn't have a gateway and is dependent on
> proxy ARP then it would be possible for the CAM to overflow.
That would be such a serious misconfiguration that all ensuring pain
is well-deserved.
Agreeing with Gert on the fact that all pain resulting from proxy-arp is
well deserved... only use it if you really know what you're doing (and
if you know what you're doing, generally you don't want to use proxy-arp).
With regard to proxy-arp and CAM table overflow: sorry, but I don't see
that happening, not if we're still talking about CAM in the sense of
"layer 2 forwarding tables".
With proxy-arp enabled, a router will reply to any ARP request for
addresses in networks that are reachable from the router (possibly
including "default" route). However, the router will reply with its own
MAC address; both as L2 source which is relevant for any intermediate
switches, and with its MAC in the ARP payload which is relevant to the
host that did the ARP request.
No matter how many times the router acts as a proxy (by replying to ARP
requests for host addresses on other networks), the router will only use
one distinct source MAC for all packets it sends into the VLAN. And only
the source MAC in a layer 2 frame is considered when building L2
forwarding tables.
Regards,
Jeroen van Ingen
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
