ARP Poisoning Lab

It has been a couple of weeks if not more since I last posted on my study blog. Life getting in the way as it does. But I hope to get back on track now.

In my last post I talked about ARP Poisoning and how it works as a Man In The Middle attack. So how do you stop this sort of an attack?

Does something called DHCP Spoofing ring a bell? I previously talked about it and how to stop it in the DHCP Spoofing post. So if you need a refresher click on the link and then come back here.

So we can use the DHCP Snooping database to help us also stop ARP poisoning after all the database keeps mappings of IP addresses to MAC addresses and what port they were learnt on. So for this to work you need to already have DHCP Snooping enabled. If you are on a non-DHCP network you can setup ARP ACL lists to do the mappings instead.

To enable ARP Inspection you need to enable it in Global Config mode  and it is done on a per vlan basis.

#config t

#ip arp inspection vlan 123

Just like with DHCP Snooping untrusted ports will DROP any traffic that does not match the IP address to MAC address mapping on that port. And just like with DHCP Snooping you can set ports (Interfaces) to be trusted. If a port is changed to a trust port it will not be subject to inspection and it will allow the traffic to flow. To change a port to a trusted port go into the interface.

#interface fa0/2

#ip arp inspection trust

And that is it.

To finish out you can enable ARP Inspection on Access, Trunk and EtherChannel ports.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s