On Tue, May 21, 2002 at 01:23:25PM +0200, Maciej Soltysiak wrote: > Host on LAN1 spoofs packets to source of other host on LAN1 and sends them > to the Internet. This is the scenario i am trying to deal with. > > The Cisco router, stores the MAC/IP table like arpwatch, by seeing arp > replies, so when i spoofed the address, i could not see the spoofed IP/MAC > pair, when i retrieved it once more (yes, over SNMP) > > The solution Antony introduced here is what i am looking for. > > Ramin, i can not see, how an cisco ACL can help here. > I can not tell whether the packet was spoofed or not if the spoofed > address is on the same address range as the source and the router > interface is.
Yes. For the scenario above you cannot use Cisco ACL's to prevent spoofing. You need MAC<->IP mapping. You're absolutely correct. But as you realized arp replies are not the way to go. And besides, some one who can spoof in your LAN so easily can do other stuff too, easily, eg tear down the legitimate TCP connections with one (or two) ends in that subnet. Ramin > > I need MACs. > > Maciej
