Reset Search
 

 

Article

How to prevent/mitigate IP-spoofing of a VRRP-gateway

« Go Back

Information

 
TitleHow to prevent/mitigate IP-spoofing of a VRRP-gateway
Question
Can we prevent or mitigate IP-spoofing of a VRRP-gateway?
Environment
  • VOSS
  • VSP 9000
Answer

You can prevent VLAN logical IP spoofing by blocking the external use of the device IP address. 
A configurable option is provided, for each port, which detects a duplicate IP address (that is, an address that is the same as the device VLAN IP address) and blocks all packets with a source or destination address equal to that address.

If an ARP packet is received that has the same source IP address as the logical VLAN IP address of the receiving port, all traffic coming to that port (with this MAC address as source/destination address) is discarded by the hardware. After detecting a duplicate IP address, the device sends a gratuitous ARP packet to inform devices on the VLAN about the correct MAC address for that IP address. You can specify a time on a configurable global timer after which the MAC discard record is deleted, and the device resumes accepting packets from that MAC address.

If you use Split MultiLink Trunking (SMLT), you must configure this option on both SMLT, aggregation devices to avoid connectivity issues

Important: After you enable the IP spoofing feature, you must restart the device.

Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255