ARP Attack Detection Configuration

10 min

introduction introduction arp attack detection is one of the common methods to prevent arp spoofing it is used to detect arp packets based on dhcp snooping and static binding entries on access devices, preventing arp attacks from unauthorized users explanation of principles explanation of principles the method for user legitimacy check involves matching the sender's ip address and source mac address in the arp packet with the static binding entries and dhcp snooping secure entries on the device if there is a match between the sender's ip address and source mac address in the arp packet and any of the entries on the device, the arp packet is considered legitimate and will be forwarded otherwise, if no match is found, the packet is considered illegitimate and will be dropped arp trust interfaces do not undergo user legitimacy checks, while arp untrusted interfaces require user legitimacy checks to prevent attacks from spoofed users arp attack detection configuration arp attack detection configuration configure tasks instructions enable arp attack detection required configure arp attack detection trusted ports optional enabling arp attack detection enabling arp attack detection operation command description enter the system configuration view configure terminal enter the vlan view vlan id enable arp attack detection arp anti attack check enable configuring arp attack detection trusted ports configuring arp attack detection trusted ports for interfaces configured as trusted for arp attack detection, if a specific vlan on that interface has arp attack detection enabled, then arp packets carrying that vlan id will bypass arp attack detection and be forwarded without any checks operation command description enter the system configuration view configure terminal enter the interface view interface ethernet interface id configure arp attack detection trusted ports arp anti attack check trusted interface vlan vlan id configuration examples configuration examples network requirements network requirements users access the network through the switch, all users are known to be under the same vlan100, and all users obtain ip addresses through dhcp server the administrator wants to enable the dai function on the switch to prevent any illegal users from attacking the device by sending illegal arp messages, which requires pc 1 is a dumb terminal and requires static ip address configuration pc 4 is a trusted user and does not perform dai checks procedure procedure omit vlan creation and vlanif interface configuration enable dhcp relay function sonic(config)# dhcp relay test v4 sonic(config dhcp relay test v4)# down link interface vlan 100 sonic(config dhcp relay test v4)# up link interface 49 sonic(config dhcp relay test v4)# server ip 10 10 1 1 sonic(config dhcp relay test v4)# loopback interface loopback 0 sonic(config dhcp relay test v4)# exit enable dhcp snooping sonic(config)# dhcp snooping enable sonic(config)# interface vlan 100 sonic(config vlanif 100)# dhcp snooping enable configure the interface to which the dhcp server is connected as a trusted port sonic(config)# interface ethernet 49 sonic(config if 49)# dhcp snooping enable sonic(config if 49)# dhcp snooping trusted enable dai function and configure ethernet4 port as a trusted port sonic(config)# vlan 100 sonic(config vlan 100)# arp anti attack check trusted interface ethernet4 sonic(config vlan 100)# arp anti attack check enable add a static table entry corresponding to the ip address and mac of pc 1 sonic(config)# user bind rule 10 100 3 1 00 00 00 01 00 01 1 100 verify configuration verify configuration view device configuration \# view snooping static binding table entries sonic# show user bind rule vlan mac ip interface \ vlan100 00 00 00 01 00 01 10 100 3 1 ethernet1 total 1 \# view dai function configuration sonic# show anti attack check config + + + \| interfaces | check mode | +==============+==============+ \| vlan100 | true | + + + pc 2 as the attacker, all outgoing arp messages are discarded