HPE Community
HPE Aruba Networking & ProVision-based
1829608 Members
1404 Online
109992 Solutions
New Discussion

Dynamic ARP Protection question

 
JRomero1971
Occasional Visitor

‎07-16-2012 09:34 PM

‎07-16-2012 09:34 PM

Dynamic ARP Protection question

Hi Folks..  We recently had an internal pen test, and the auditor was able to compromise our network in many ways by "arp poisoning" our current L2 switches.  He was able to get credentials to multiple systems, and other confidential info.  I'm now going to forklift our current switches with some 2910 models, but we're going to do it in 2 phases.  My question is hopefully an easy one as I'm still trying to understand this man in the middle type attack.

 

Can you only arp poison the switch you are directly to?

 

Example, let's say we have 5 switches.  A top of the rack switch, and then 4 "user" switches.  Each user switch has an uplink to the top of the rack switch. Out of our 5 switches only 2 have dynamic arp protection - the top of the rack, and user switch 4.  So, if a user was directly connected to user switch 4, he could not arp poison anyone?  If a user was directly connect to user switch 3, he could only arp poison folks that are also connected to switch 3, but not any other switch.  Is my understanding correct?

 

Many thanks.

 

JR

0 Kudos
5 REPLIES 5
Fredrik Lönnman
Honored Contributor

‎07-17-2012 12:46 AM

‎07-17-2012 12:46 AM

Re: Dynamic ARP Protection question

If he is connected to switch 3 he will be able to arp poison anyone on the same segment. Since you're not saying where you do your routing (on the ToR or on every user switch) the segment may be all of your switches or just the switch he is connected to.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
JRomero1971
Occasional Visitor

‎07-17-2012 11:31 AM

‎07-17-2012 11:31 AM

Re: Dynamic ARP Protection question

The ToR switch has the xconnect to the router.  All user swtiches route out via the arm into the ToR.

 

So, if the user was connected via switch 3 (no DARP), he would be able to arp poison anyone on the segment?  Would he be able to AP someone that was directly connected to a switch that has DARP?

 

Was i correct in the thought that if a user was connected via switch 4 (DARP), he could not AP anyone, on any swtich.

 

We're about to be re-audited, and before we forlift every single swtich in the company to a model that has DARP, we wanted to do a proof of concept, and have the auditor come in, and we would directly connect him to user switch 4 (DARP), and see what damage he could do - hopefully none.

 

Thanks again.

0 Kudos
Fredrik Lönnman
Honored Contributor

‎07-17-2012 12:51 PM - edited ‎07-17-2012 12:52 PM

‎07-17-2012 12:51 PM - edited ‎07-17-2012 12:52 PM

Re: Dynamic ARP Protection question

Yes a user connected to switch 3 till be able to poison anyone, even users on switches with DARP. Users connected to a switch with DARP wont be able to poison.

 

Basically what ARP protection does is it matches ARP replies ingress on a  port with info from the DHCP snooping table. If a user has been assigned IP 192.168.1.11 it will be recorded in the DHCP snooping table, and if that user tries to do a MitM attack by starting to answer ARP request for 192.168.1.1 (default gw) it will be dropped ingress on the port before it reaches the rest of the network since it doesnt match the entry in the DHCP snooping database.

 

Since the protection works ingress on the offenders port, it needs to be on everywhere. To be specific it doesnt protect users from beeing poisoned, it stops offenders from poison.

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
JRomero1971
Occasional Visitor

‎07-17-2012 01:51 PM

‎07-17-2012 01:51 PM

Re: Dynamic ARP Protection question

Fredrik - Thank you very much for your help, your answers are very clear and helpful.  One follow up, you refer to matching port info with the DHCP snooping table - what if all addresses were static, and no addresses was derived via DHCP

 

JR.

0 Kudos
Fredrik Lönnman
Honored Contributor

‎07-17-2012 11:56 PM

‎07-17-2012 11:56 PM

Re: Dynamic ARP Protection question

You can also add the information manually with the ip source-binding command.

 

Download the ASG: http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-K_14_52.pdf and look at page 11-17 and onwards, lots of info about arp protection :)

---
CCIE Service Provider
MASE Network Infrastructure [2011]
H3CSE
CCNP R&S

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.