Cisco switches prevent ARP attacks between VLANs

Many switches can prevent ARP attacks on the Gateway at the core layer, but they cannot effectively prevent attacks between VLANs and prevent attacks between VLANs. I think it is better to use the VACL in a VLAN to prevent attacks, security performance can be improved.

The company uses OMNI for switching equipment, but the security settings should also be provided for simple demonstration.

100 3/12 default inactive using useless ports

6602-SHA-15F> port-security 3/12 enable6602-SHA-15F> port-security 3/12 maximum 106602-SHA-15F> port-security 3/12 violation ?　^　SHUTDOWN RESTRICT

CISCO specific solution:

In all Cisco switching networks, you can help set the ip address and mac address of each device. However, this is more troublesome and can be solved using the Cisco Dynamic ARP Inspection mechanism. * Note: port-security must be an access port)

Defense methods:

Cisco Dynamic ARP Inspection DAI) provides IP address and MAC Address binding on the switch and dynamically establishes the binding relationship. DAI is based on the DHCP Snooping binding table. For servers that do not use DHCP, you can use static ARP access-list. The DAI configuration is for VLANs. You can enable or disable DAI for interfaces in the same VLAN. You can use DAI to control the number of arp request packets on a port. Therefore, I think this configuration can solve ARP attacks and improve network security and stability.

Configuration:

IOS global command:

ip dhcp snooping vlan 100,200 ,300,400no ip dhcp snooping information option ip dhcp snooping ip arp inspection vlan 100,200 ,300,400ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10

IOS interface command:

ip dhcp snooping trust ip arp inspection trust ip arp inspection limit rate 15

If no DHCP device is used, use the following method:

arp access-list static-arp permit ip host 202.65.3.42 mac host 0012.3F82.1B22ip arp inspection filter static-arp vlan 201

Effect after DAI Configuration:

Because DAI checks the relationship between IP addresses and MAC addresses in the DHCP snooping binding table, man-in-the-middle attacks cannot be implemented and the attack tool becomes invalid. The following table lists the switch warnings for man-in-the-middle attacks:

3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/16, vlan 1.([000b.db1d.6ccd/192.168.1.200/0000.0000.0000/192.168.1.2

Due to the speed limit imposed on arp request packets, the client cannot scan or detect IP addresses that are considered or viruses. If such behavior occurs, the switch immediately sends an alarm or directly disconnects the scanning machine. See the following table:

3w0d: % SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 millisecondson Fa5/30. * Alarm 3w0d: % PM-4-ERR_DISABLE: arp-inspection error detected on Fa5/30, putting Fa5/30 in err-disable state ***** cut off port 4500-1 # sh int f 5/30 FastEthernet5/30 is down, line protocol is down (err-disabled) hardware is Fast Ethernet Port, address is 0002. b90e. 3f 4d (bia 0002.b90e .3f 4d) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 4500-1#

After a user obtains an IP address, the user cannot modify the IP address or MAC address. If the user simultaneously modifies the IP address and MAC address, the user must be a valid IP address and MAC address in the network, you can use the IP Source Guard technology described below to prevent such changes. The following table lists the alarms for manually specified IP addresses:

3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/30, vlan 1.([000d.6078.2d95/192.168.1.100/0000.0000.0000/192.168.1.100/01:52:28 UTC FriDec 29 2000 ])

The Platform Supported by DAI is more than 3560. It seems that only 4500 of IP Source Guard can be executed.

Related Articles]

• Topic: ARP attack prevention and Solutions

• ARP Sinffer Attack and Defense instance description/FONT>

• How to Use Anti ARP Sniffer to find ARP attackers

• The principles of ARP spoofing attacks can also be understood in this way.