cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2055
Views
6
Helpful
3
Replies

Blocking usage of duplicate default gateway ip by rogue attacker

Sihanu N
Level 1
Level 1

Hi Experts,

We had a core switch (4503), distribution switches and access in our network and consists of many vlans. Almost all vlans uses DHCP Pools. But for few vlans DHCP is not yet configured. Recently one of the rogue user in vlan 1 gave the corresponding interface vlan ip of core switch (gateway) as his ip and caused a prolonged network outage for the vlan. Any way we are going to seggregate vlan 1 into different vlans, but before that we need a temporary plan to block such kinds of attack.

What are the possible ways we can avoid the network outage problem even if a user gave the gateway ip to the machine?

Any suggetions and advice are highly appreciable

Thanks & Regards

Sihanu N

Sent from Cisco Technical Support iPhone App

3 Replies 3

darren.g
Level 5
Level 5

Sihanu N wrote:

Hi Experts,

We had a core switch (4503), distribution switches and access in our network and consists of many vlans. Almost all vlans uses DHCP Pools. But for few vlans DHCP is not yet configured. Recently one of the rogue user in vlan 1 gave the corresponding interface vlan ip of core switch (gateway) as his ip and caused a prolonged network outage for the vlan. Any way we are going to seggregate vlan 1 into different vlans, but before that we need a temporary plan to block such kinds of attack.

What are the possible ways we can avoid the network outage problem even if a user gave the gateway ip to the machine?

Any suggetions and advice are highly appreciable

Thanks & Regards

Sihanu N

Sent from Cisco Technical Support iPhone App

Make sure there aren't any user ports in VLAN1.

I always create a separate VLAN for unused ports - I use 999 typically - and whenever I setup a new switch I put ALL ports into this VLAN by default - and this VLAN is not trunked in intra-switch links.

Which means any new PC's which connect won't go anywhere.

If you're not as much a control freak as me, put all ports into a VLAN, trunk it everywhere, and put a default gateway on it that points to some form of auto-responder which informs the PC's owner s/he needs to speak to the network group and have the port re-assigned into a working VLAN.

You'll never be able to stop a dumb (or excessively smart) user from assigning their PC the IP adderss of your default gateway - even if you HAVE DHCP enabled, the user could startup, find the gateway IP via DHCP, then set their network card to match it.

Cheers.

Hi Darren,

Many Many Thanks for Reply,

Actually  the interface vlan 1 ip of core switch is 192.168.1.15 and all machines  in the vlan 1 configured the gateway as vlan 1 interface ip. From one  of the access switch an interface fastE 0/24 is connected to outside  (Family Quarters location) for restricted Corporate Access. Recently we  experienced a serious outage of devices in Vlan 1 and resolved only  after shutting down of the interface 0/24 of that access switch. We  found which was due to the ARP cache poisoning of machines because  during that timethe mac-address table of vlan 1 machines(found that  wrong mac-address binded in the vlan 1 machines arp table instead of  HSRP gateway mac-address).

Is there any possibility to implement DAI to block such kinds of broadcasts to Corporate network only in Vlan 1?

Thanks and Regards,

Sihanu N

Hi

What type of switches do you have ?

In a 3750x I would use EEM and tcl scripts to recognise this and shut down the offending port.

ie if the ip address shows up with the wrong mac address in the cam then its easy to trace it down and if the offending port is "local" (only one mac address on port) then shut it down.

However there is a way to deal with this "problem" but I have never got it to work properly.

ip source guard.

good luck

HTH

Review Cisco Networking for a $25 gift card