ARP or Address Resolution Protocol helps mapping IP to a mac address , used when a host is trying to reach another host in the same VLAN/Subnet
What problems can someone cause using ARP ? You can bring down the entire services in that VLAN with ARP
How can you do that. Assume a host PCA has MACA and another PCB sends out ARP request for any host or sends out a GARP using PCA's MAC as the source mac address. This causes other hosts in that VLAN to update their ARP cache and send the packet destined to PCA IP to PCB. This is one of the ways you can cause service interruption. For details refer the following link on ARP spoofing
In 3 years that I have spent in LAN Switching TAC, I have not come across such issues often. Whenever I have, it was sometimes very easy to track down the rouge device but at times it turned out to be a PIA.
This blog is to provide a way to help narrow down the rogue host in a huge network
In simple attcks where the rouge host was sending ARP request sourced from a different host MAC address, what we do is to identify the port on which the MAC address is learnt, backtrack till you either reach the legitimate host and on multiple tries you will also be able to track down the rouge host.
Switch# show mac address-table address xxxx.xxxx.xxxx
Simple right. Well, if it is the scenario I mentioned above, it will be simple.
However, consider the following scenario. What if the rouge host send out ARP request or GARP with IP address of the legitimate host but uses source MAC address as a bogus multicast MAC address. This will cause a few hosts to update their ARP cache with the wrong multicast MAC for unicast IP (Cisco devices do not update their ARP cache when they receive such ARP request/GARP with multicast MAC as source MAC)
So say users may lose access to an important server in the same VLAN - HOW WILL YOU DETECT THE ROGUE DEVICE NOW??
Note: Switches do not dynamically learn multicast MAC address, so you cannot backtrack they was we did in the case of unicast.
To make things worse, imagine you have a huge network !!!
Lets assume we have a network as shown below
This may still look simple. Imagine an enterprise network with 20 switches and hundred's of hosts connected.
WHERE DO WE START?
WHAT DO WE DO?
First of all , lets create a SPANNING TREE loop free topology, after identifying blocked ports you will end up with the following topology
I always prefer to start from the root bridge and go down the tree - or you can start in the middle and move down or up (like binary search)
SPAN each active link (spanning tree forwarding), one at a time, ingress direction, to see from where the ARP request are coming - with this you can move from one switch to another and finally track the Switch which has the Rouge Host connected.
If you have a switch like the Catalyst 6500 all over the network , you can use an internal tool called ELAM . With ELAM we can track the incoming interface on which ARP was received - but you would need to call TAC for help on this one :-)
The above said procedure needs a lot of patience, you will be able to narrow down to the Rouge host, even if it takes some time.
How can one be proactive in avoiding such attacks ?? - using DHCP snooping with Dynamic ARP inspection. For details, refer the following
I am trying to limit the Download speed (Egress) of ports on my C3750X-24S-E For those not familiar, this 3750 is an SFP port only switch. I have Fibre SFP modules connected into the ports and can see they are fixed 1 Gig speed capability. ...
Good morningI would like to ask about something I want to know about 3750g.Currently the 3750g is equipped with SSH, but I am trying to change the port number this time.However, the port did not change to 12.2.55-SE12 version.Is it possible to change the ...
Hello.I'm using three 3850 Stack units.We're going to use an additional 3850 this time.1. I will need the Stack Data cable and the Stack Power Cable recabling. Do I have to turn off the power and work on the old switch as well as the new one? Or is it OK ...
Hello,i am facing a problem with setting up a new cisco phone, when i connect the phone with the cabel it does not start at all and the screen stays black but when i connect my laptop to the same port it works well and the laptop gets internet connection,...