Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2758
Views
10
Helpful
6
Replies

Protect my Lan against ARP spoofing/Poisoning

mydi88
Level 1
Level 1

‎10-30-2019 02:52 AM - edited ‎02-21-2020 09:38 AM

Hello, 

I am suffering against arp attacks into my Lan (Netcut -  selfishnet). What configuration i must do in my CISCO SWITCH 2960 to stop this

0 Helpful
6 Replies 6

mydi88
Level 1
Level 1
In response to Seb Rupik

‎10-30-2019 03:23 AM

Could i drop all my VLans and conserve just this configuration to protect my Lan ? Because of massive attacks i configured VLans to limit attacks in some zones.

Now if i use this config, can i use my switch in simple mode without VLans?

 

0 Helpful

kubn2
Level 1
Level 1
In response to mydi88

‎10-30-2019 03:42 AM

You can but its not recommended. You can use dynamic arp inspection with vlans on switch

mydi88
Level 1
Level 1
In response to kubn2

‎10-30-2019 03:57 AM

Okay, so i have just to enter this configuration in each interface (pre-configured with VLan).

Could you give the specific configuration of Dynamic ARP Inspection in VLan Environment

Exp: i have VLan 10 in interface 1 using this ip adresse 192.168.10.1 and have his own DHCP mode and linked with gateway 192.168.99.1 in interface 24

0 Helpful

kubn2
Level 1
Level 1
In response to mydi88

‎10-30-2019 04:06 AM

Based on this instruction linked above by Seb Rupik: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01111.html#task_1961618808BA41BA941D3B9979D36518

You turning ARP inspection per vlan basis (or you can turn it on on vlan range) so for vlan 10:
-ip arp inspection vlan 10
And remember to set some ports as trusted (between switches and port to dhcp server).
0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to mydi88

‎10-30-2019 03:53 AM

hmmm how epidemic is this attack?! If you unify all of your connected devices into a single subnet/ VLAN then you put all of the devcies at risk from the ARP attack.

By using VLANs you reduce the broadcast domain and therefore the reach of an ARP based attack.

 

I would keep the VLANs and implement DAI. Don't adjust your topology, get the switch to do the work.

 

cheers,

Seb.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card