ARP or Address Resolution Protocol helps mapping IP to a mac address , used when a host is trying to reach another host in the same VLAN/Subnet
What problems can someone cause using ARP ? You can bring down the entire services in that VLAN with ARP
How can you do that. Assume a host PCA has MACA and another PCB sends out ARP request for any host or sends out a GARP using PCA's MAC as the source mac address. This causes other hosts in that VLAN to update their ARP cache and send the packet destined to PCA IP to PCB. This is one of the ways you can cause service interruption. For details refer the following link on ARP spoofing
In 3 years that I have spent in LAN Switching TAC, I have not come across such issues often. Whenever I have, it was sometimes very easy to track down the rouge device but at times it turned out to be a PIA.
This blog is to provide a way to help narrow down the rogue host in a huge network
In simple attcks where the rouge host was sending ARP request sourced from a different host MAC address, what we do is to identify the port on which the MAC address is learnt, backtrack till you either reach the legitimate host and on multiple tries you will also be able to track down the rouge host.
Switch# show mac address-table address xxxx.xxxx.xxxx
Simple right. Well, if it is the scenario I mentioned above, it will be simple.
However, consider the following scenario. What if the rouge host send out ARP request or GARP with IP address of the legitimate host but uses source MAC address as a bogus multicast MAC address. This will cause a few hosts to update their ARP cache with the wrong multicast MAC for unicast IP (Cisco devices do not update their ARP cache when they receive such ARP request/GARP with multicast MAC as source MAC)
So say users may lose access to an important server in the same VLAN - HOW WILL YOU DETECT THE ROGUE DEVICE NOW??
Note: Switches do not dynamically learn multicast MAC address, so you cannot backtrack they was we did in the case of unicast.
To make things worse, imagine you have a huge network !!!
Lets assume we have a network as shown below
This may still look simple. Imagine an enterprise network with 20 switches and hundred's of hosts connected.
WHERE DO WE START?
WHAT DO WE DO?
First of all , lets create a SPANNING TREE loop free topology, after identifying blocked ports you will end up with the following topology
I always prefer to start from the root bridge and go down the tree - or you can start in the middle and move down or up (like binary search)
SPAN each active link (spanning tree forwarding), one at a time, ingress direction, to see from where the ARP request are coming - with this you can move from one switch to another and finally track the Switch which has the Rouge Host connected.
If you have a switch like the Catalyst 6500 all over the network , you can use an internal tool called ELAM . With ELAM we can track the incoming interface on which ARP was received - but you would need to call TAC for help on this one :-)
The above said procedure needs a lot of patience, you will be able to narrow down to the Rouge host, even if it takes some time.
How can one be proactive in avoiding such attacks ?? - using DHCP snooping with Dynamic ARP inspection. For details, refer the following
Hello, You can see my topology on the file picture. I will say i am a beginner and i want to make a site-to-site VPN with two Cisco ASA (Active/standby) using Failover. The NAT will be done on Firewalls I need also to keep a redundant...
Issue getting pcs to communicate with:One AnotherWeb ServerData ServerVery New to networking and cannot get to work. Been at it for a few hours with pings not workingVlan 1 is for management 10.10.10.0Vlan 2 is for production192.168.10.0Left Server i...
Hi All, Recently our users started reporting that their internet connectivity is extremely slow . We have a 20 Meg connection and straight away when we checked couple of things like bandwidth utilization it is well under normal but still they have slownes...
I currently have a vpn connection setup between an ASA 5515 and a Meraki MX64, works great. However I've got a new subnet behind the asa that I want to put over the vpn. I added it to the local subnet on the ASA and the remote subnet on the Meraki. It won...