Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Prevent mac/ip spoofing using 2824

SOLVED
Go to solution
Arno L
Occasional Advisor

Prevent mac/ip spoofing using 2824

Hi,

Following Situation:
Network with ~350 users, connected to two 2824 switches. Between 5 and 13 users are using one port.

Problem:
The network is at a dormitory, and the users cannot be trusted. Especially things like "stealing" IP-Addresses or faking Mac-Addresses should be prevented.

Now, using our old Cisco switch, using "sticky" mac-addresses, we could be sure that User A, connected to port 1 could not steal User B's Mac-Address (connected to port 2). In combination with 'arpwatch' we were able to easily track down IP thiefs and prevent Mac-Spoofing.

Now, using the 2824 I wasn't able to find something similar.

"configured" or "static" port-security would be too much work with the heavy PC fluctuation in the dormitory.

ip-lockdown should prevent IP-Spoofing, but referring to the manual you have to use the same subnet mask on each port, which is not possible with our /23 IP-Range.

Last choice would be some kind of history ("mac-address X was connected to Port N at $DATE"), but I couldn't find how to log that kind of event with the 2824. The only thing I found would be to read the actual Mac-table using snmp and parse that with some kind of bash-script (ugly!).

Does any of you have some idea how to prevent mac/ip spoofing or at least, how to reliable track down a mac/ip thief?

Thanks, Arno
12 REPLIES
Mohieddin Kharnoub
Honored Contributor

Re: Prevent mac/ip spoofing using 2824

Hi

Similar to Cisco's sticky mac-address, you can do here either Port-Security, or MAC Lockdown and probably the last one is the suitable to your case but too much headache.
Read in this:
ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap09-Port_Security.pdf
Page 17

You can do more advanced one using 802.1x integration with RADIUS server and with MAC authentication and Dynamic Vlan assignment as well.

Good Luck !!!

Science for Everyone
Arno L
Occasional Advisor

Re: Prevent mac/ip spoofing using 2824

Hi,

Thanks for the reply, but there are two problems using mac-lockdown.

1) New Mac-Addresses aren't assigned automatically. With 350 users and many new users moving in each month, others leaving,... it would be very time-consuming to initially lock down each mac-address manually.

2) "There is a limit of 500 MAC Lockdowns that you can safely code per switch."
With 350 active users we would not only have to add new mac-addresses, but we would also have to keep track of outdated addresses and keep removing them.

I've also considered RADIUS authentification. As a last choice, we would implement this, but then I would prefer the web-based "port-access" authentification. That way we could track down users without relying on mac/ip addresses.

I think there's really no "easy" solution for this. The 2824 has some great features like "ip-lockdown" but sadly they seem to be not flexible enough for our needs.
Sietze Reitsma
Respected Contributor

Re: Prevent mac/ip spoofing using 2824

Arno,

Try this.

port-security 1 address-limit 13 learn-mode limited-continuous

If you type 'help' after this command you will find the complete explenation.

You can also use the 'filter' command, which forwards all traffic from a client port towards the uplink port.

Hopefully it helps. If so please provide me the right points :-)

Cheers
Arno L
Occasional Advisor

Re: Prevent mac/ip spoofing using 2824

Hi Sietze,

as mentioned above, it's a dormitory. Some people in there "don't use internet at all", some switch on their computer every 2 or 3 months, some people move out again after 2 weeks (but do use the internet access).
Then, again, there's normally only 1 or 2 weeks between someone moving out, and someone else moving into that room again.
Therefore we couldn't use the "age out" feature, and, again, had to delete outdated mac-addresses manually.

A mac-lockdown with learn-mode "limited continuous" and an age-time would be perfect, but it seems as if HP forgot about that.

Arno
Sietze Reitsma
Respected Contributor

Re: Prevent mac/ip spoofing using 2824


according to my knowledge 'limited continuous' should work as stated, so old adresses should age out:

If 'limited-continuous' is specified, the first 'address-limit' source MAC addresses heard on this port become the authorized addresses. When new authorized addresses are learned, they are stored in a table. When the table has reached its 'address-limit', any new source MAC addresses received on the port constitutes an intrusion. The authorized addresses in this mode will age out of the system, therefore the list of authorized addresses can be dynamic over time.

Please let me know if the test works.
Arno L
Occasional Advisor

Re: Prevent mac/ip spoofing using 2824

Yes, of course it works "as stated", but it doesn't really solve to my problem.

The number of actively used computers on a floor is changing. Let's say there are 13 rooms on one floor. But only 10 people actually use their network connection. This way, one user could actually steal 3 mac addresses from other floors.

And I cannot set the address limit down to 10 because maybe the next day the 11th person switches on his computer. As mentioned before, some people don't use their PC for a couple of months. Then their mac address would age out for sure.

On the other hand, let's say on another floor all 13 people are using the network. Now someone moves out, and 2 days later someone new moves in again.
Then his PC would cause an alert, and we hAD search for the old mac address again.

So after what time should a mac address age out?

And what happens if a mac ages out? As soon as an address has aged out, someone on that port can steal/forge someone else's address again.

A "lockdown-mac" with age-out would really be the best solution.
Or, at least, the 2824 should be able to generate log messages like
"$DATE: Mac-Address X connected to port Y"

Fortunately I didn't order those 2824, so it isn't my fault if they lack important features.
Unfortunately I'm the guy who's supposed to find a workaround.

Arno
Sietze Reitsma
Respected Contributor

Re: Prevent mac/ip spoofing using 2824

Ok, in that case authentication (802.1x, MAC or web auth) could solve your problem.

Can port filtering solve your problem?

I know that arp protection is done on some other switches like 5300/3500/5400 series

If this is not helping you, I'm out of ideas.
Arno L
Occasional Advisor

Re: Prevent mac/ip spoofing using 2824

Hm...

I just played with "ip-lockdown" again even though the manual states "The same subnet mask must be used for all ports within an 8 port block".
However using the latest firmware "ip-lockdown help" says:
"Multiple IP address and subnet pairs may be configured for a given port."

But somehow it isn't working:
switch# configure
switch(config)# interface 18
switch(eth-18)# ip-lockdown 192.168.0.1 255.255.255.255
switch(eth-18)# exit
switch(config)# write memory
switch(config)# show ip
ip
ip-lockdown
switch(config)# show ip-lockdown 18

IP Lockdown
Port IP address Subnet

switch(config)# show ip-lockdown

IP Lockdown
Port IP address Subnet

switch(config)#

Do you know why I couldn't add that IP-Address?

Thank you for your help,

Arno
Mohieddin Kharnoub
Honored Contributor

Re: Prevent mac/ip spoofing using 2824

Hi

I don;t see how ip-lockdown will help you Arno, but anyway, maybe you misunderstand the rules.

You should use the same subnet within 8 ports block, so if you configured say port 1 with /23 subnet, then ports 1-8 should be condifured with the same subnet /23.

But again, how can it help you, it will only restrict users to use a predefined subnet, or predefined address.

Good Luck !!!


Science for Everyone
Arno L
Occasional Advisor

Re: Prevent mac/ip spoofing using 2824

Hi,

Well, I think ip lockdown could help.
Our primary goal is not to make sure that everyone can only use one computer.
If "IP Address x", which belongs to user Y, is doing something illegal, we must be able to make sure that it really was Y.
At the moment person Z could steal Y's IP and mac address, and we wouldn't even notice.

Using mac lockdown + arpwatch on the gateway or IP Lockdown we could at least bind the ip address to the correct floor.

The only problem with ip security is that we would lose many spare ip addresses. We don't do any NAT here, but each user has his own static, public ip address. And I don't really like to throw away too many public ip addresses just because of "ip lockdown".
Mohieddin Kharnoub
Honored Contributor
Solution

Re: Prevent mac/ip spoofing using 2824

Hi

Arno, you need the 802.1x with RADIUS, its designed for these cases of security.
Anyway
For ip-lockdown, use a /28 for 14 ip addresses as max (or /27 for 30 addresses) so you don;t really lose ip addresses here.

Good Luck !!!
Science for Everyone
Arno L
Occasional Advisor

Re: Prevent mac/ip spoofing using 2824

Hi,

thank's for the reply. I'll reconsider how to split our subnet for ip-lockdown next week, as I don't have any time for this at the moment.

I know, that a radius server probably would be best, but I'm a complete fan of "KISS"...

And a radius server needs more maintenance than IP-Lockdown...

Arno