Nowadays many switches are able to prevent ARP attack core Layer gateway, but can not be very effective to prevent the attacks between VLANs, to prevent the attack between VLANs, I think using the VLAN vacl to prevent better, security can be improved.
Because the company exchange equipment is used omni But the security aspect should also have the related setup to make the simple demonstration, does not go into the 3/12 default inactive to use the useless port demo:
Copy Code code as follows:
6602-sha-15f> port-security 3/12 Enable
6602-sha-15f> port-security 3/12 Maximum 10
6602-sha-15f> port-security 3/12 violation?
^
SHUTDOWN RESTRICT
Cisco Specific scenarios:
In all Cisco switched networks, the IP and MAC addresses of each device can be fixed. But this is more troublesome, can be solved with Cisco Dynamic ARP inspection mechanism. (* Note: With port-security, must be access port)
Precautionary method:
Cisco Dynamic ARP Inspection (DAI) provides a binding of IP address and MAC address on the switch and dynamically establishes a binding relationship. DAI is based on the DHCP snooping binding table and can be implemented statically by adding ARP access-list to individual machines that do not use DHCP. DAI is configured for VLANs and can be turned off for interfaces within the same VLAN. With Dai, you can control the number of ARP request messages for a port. So, I think, through such configuration, can solve the arp attack problem, better improve network security and stability.
Configuration:
IOS Global Command:
Copy Code code as follows:
IP DHCP snooping VLAN 100,200, 300,400
No ip DHCP snooping information option
IP DHCP snooping
ip arp inspection vlan 100,200, 300,400
ip arp inspection log-buffer entries 1024
ip arp inspection log-buffer logs 1024 interval 10
IOS interface Command:
Copy Code code as follows:
IP DHCP snooping Trust
ip arp inspection trust
ip arp inspection limit rate 15
You can use the following methods for not using a DHCP device:
Copy Code code as follows:
ARP access-list static-arp
Permit IP host 202.65.3.42 mac host 0012.3f82.1b22
ip arp inspection filter static-arp VLAN 201
To configure the effect after Dai:
Because Dai checks the IP and Mac correspondence in the DHCP snooping binding table, the Man-in-the-middle attack cannot be implemented and the attack tool fails. The following table provides a switch warning for implementing a man-in-the-middle attack:
Copy Code code as follows:
3w0d:%sw_dai-4-dhcp_snooping_deny:1 Invalid ARPs (Req) on FA5/16, VLAN 1.
([000b.db1d.6ccd/192.168.1.200/0000.0000.0000/192.168.1.2
Because of the speed limit of the ARP request message, the client cannot carry out the IP scanning and detection of the virus, if these behaviors occur, the switch will immediately alarm or cut off the scanning machine directly. As shown in the following table:
Copy Code code as follows:
3W0D:%sw_dai-4-packet_rate_exceeded:16 packets received in 184 milliseconds
On Fa5/30. Alarm
3W0D:%pm-4-err_disable:arp-inspection error detected on FA5/30,
Putting FA5/30 in err-disable the state to cut off the port
4500-1#sh int F 5/30
FASTETHERNET5/30 is down, line protocol are down (err-disabled)
Hardware is Fast Ethernet Port, the address is 0002.b90e 3f 4d
(BIA 0002.b90e 3f 4d)
MTU 1500 bytes, BW 100000 kbit, DLY-usec,
Reliability 255/255, Txload 1/255, Rxload 1/255
4500-1#
After the user obtains the IP address, the user cannot modify the IP or the Mac, if the user modifies simultaneously the IP and the Mac must be the network internal legitimate IP and the Mac only then, for this kind of modification may use the IP Source Guard technology which is mentioned below to guard against. The following table provides an alert for manually assigning IP:
Copy Code code as follows:
3w0d:%sw_dai-4-dhcp_snooping_deny:1 Invalid ARPs (Req) on FA5/30, VLAN 1.
([000d.6078.2d95/192.168.1.100/0000.0000.0000/192.168.1.100/01:52:28 UTC Fri
DEC 29 2000])
Dai support Platform is more than 3560 bar, IP Source Guard only more than 4500 to perform seemingly.
