05-17-2012 06:33 PM - edited 03-07-2019 06:46 AM
Hi Experts,
We had a core switch (4503), distribution switches and access in our network and consists of many vlans. Almost all vlans uses DHCP Pools. But for few vlans DHCP is not yet configured. Recently one of the rogue user in vlan 1 gave the corresponding interface vlan ip of core switch (gateway) as his ip and caused a prolonged network outage for the vlan. Any way we are going to seggregate vlan 1 into different vlans, but before that we need a temporary plan to block such kinds of attack.
What are the possible ways we can avoid the network outage problem even if a user gave the gateway ip to the machine?
Any suggetions and advice are highly appreciable
Thanks & Regards
Sihanu N
Sent from Cisco Technical Support iPhone App
05-17-2012 10:08 PM
Sihanu N wrote:
Hi Experts,
We had a core switch (4503), distribution switches and access in our network and consists of many vlans. Almost all vlans uses DHCP Pools. But for few vlans DHCP is not yet configured. Recently one of the rogue user in vlan 1 gave the corresponding interface vlan ip of core switch (gateway) as his ip and caused a prolonged network outage for the vlan. Any way we are going to seggregate vlan 1 into different vlans, but before that we need a temporary plan to block such kinds of attack.
What are the possible ways we can avoid the network outage problem even if a user gave the gateway ip to the machine?
Any suggetions and advice are highly appreciable
Thanks & Regards
Sihanu N
Sent from Cisco Technical Support iPhone App
Make sure there aren't any user ports in VLAN1.
I always create a separate VLAN for unused ports - I use 999 typically - and whenever I setup a new switch I put ALL ports into this VLAN by default - and this VLAN is not trunked in intra-switch links.
Which means any new PC's which connect won't go anywhere.
If you're not as much a control freak as me, put all ports into a VLAN, trunk it everywhere, and put a default gateway on it that points to some form of auto-responder which informs the PC's owner s/he needs to speak to the network group and have the port re-assigned into a working VLAN.
You'll never be able to stop a dumb (or excessively smart) user from assigning their PC the IP adderss of your default gateway - even if you HAVE DHCP enabled, the user could startup, find the gateway IP via DHCP, then set their network card to match it.
Cheers.
05-18-2012 08:04 AM
Hi Darren,
Many Many Thanks for Reply,
Actually the interface vlan 1 ip of core switch is 192.168.1.15 and all machines in the vlan 1 configured the gateway as vlan 1 interface ip. From one of the access switch an interface fastE 0/24 is connected to outside (Family Quarters location) for restricted Corporate Access. Recently we experienced a serious outage of devices in Vlan 1 and resolved only after shutting down of the interface 0/24 of that access switch. We found which was due to the ARP cache poisoning of machines because during that timethe mac-address table of vlan 1 machines(found that wrong mac-address binded in the vlan 1 machines arp table instead of HSRP gateway mac-address).
Is there any possibility to implement DAI to block such kinds of broadcasts to Corporate network only in Vlan 1?
Thanks and Regards,
Sihanu N
05-18-2012 12:10 PM
Hi
What type of switches do you have ?
In a 3750x I would use EEM and tcl scripts to recognise this and shut down the offending port.
ie if the ip address shows up with the wrong mac address in the cam then its easy to trace it down and if the offending port is "local" (only one mac address on port) then shut it down.
However there is a way to deal with this "problem" but I have never got it to work properly.
ip source guard.
good luck
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide