Command of the Day

Reply
Aruba Employee
Posts: 34
Registered: ‎03-29-2007

COTD: Prohibit IP spoofing

This weeks command of the week is actually a command that works in both 2.x and 3.x. It's a command that we've had for a while, but I thought it would be useful to describe exactly what it does:
(Greig) (config) #firewall prohibit-ip-spoofing
Our IP spoofing detection works by monitoring all ARPs in the network to build up a MAC<->IP correlation table. Once you enable this feature, you may get log messages similar to this:
authmgr: IP spoof <00:11:22:33:44:55 1.2.3.4 jane@goodgirl.com> from MAC=00:16:66:77:88:99, urole=allowall,
What this means is that MAC address 00:16:66:77:88:99 is also trying to spoof/answer ARP for the IP address 1.2.3.4, which is already tied to an existing user- jane@goodgirl.com with MAC address 00:11:22:33:44:55.
The user that is being spoofed will not be affected. Any packet coming from the bad "00:16:66:77:88:99" mac will be dropped and its packets will increment the "spoof" counter that you can see in "show aaa state debug-statistics".
Here's the output of 'show aaa state debug-statistics'
(wireless-local3-wmc) #show aaa state debug-statistics
user miss: ARP=208686, 8021Q=226303, non-IP=0, zero-IP=0, loopback=0 user
miss: mac mismatch=0, spoof=9503 (4601), drop=222790 Idled users = 1362
Idled users due to MAC mismatch = 0 Logon lifetime iterations = 5, entries
deleted = 81
Search Airheads
Showing results for 
Search instead for 
Did you mean: