Wired Networks

How to protect an Aruba Mobility access switch infrastructure from Layer2 and Layer3 Spoofing attacks ?

Switches in general are susceptible to many Layer 2 and Layer 3 attacks such as ARP spoofing, MAC spoofing, and DHCP Starvation and IP spoofing and so on.

Often these attacks utilize source IP address or MAC address spoofing to conceal the true source of the attack, this can be mitigated by enabling DHCP Snooping along with features like IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI) on the Aruba Mobility access switch.

DHCP snooping :

By enabling DHCP snooping, the system snoops the DHCP messages to view DHCP lease information and build and maintain a database of valid IP address to MAC address bindings called the DHCP snooping database address to support the security features like IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI).

IP Source Guard (IPSG) :

IP spoofing is the creation of IP packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system. When IPSG is enabled on an interface, the Mobility Access Switch blocks all IP traffic received on the interface except for DHCP packets allowed by DHCP snooping and allows only IP traffic with a source IP address in the IP source binding table.

Dynamic ARP Inspection (DAI) :

Using the information from DHCP snooping or from manually configuring it, a switch can confirm that your traffic includes accurate MAC address information in ARP communications, to protect against an attacker trying to perform Layer 2 spoofing.


DAI considers an ARP packet as invalid in any of the following two cases and DAI will thus drop invalid ARP packets and generate a log message.

  • Source Mac Address in Ethernet header does not match with Source Mac in Arp header.
  • There is no corresponding DHCP Snooping binding entry for the particular Source Ip and Mac in the Arp header.

DHCP snooping , IP Source Guard and Dynamic ARP Inspection (DAI) are new feature included in AOS version 7.3.0.0  Any version below 7.3.0.0 does not have these feature.

 

Environment: All the sample outputs in this article are from Aruba S2500 Mobility Access Switch running AOS version 7.3.0.0.

 

DHCP snooping helps to build the binding database to support the security features like IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI).

 

 

Configuring DHCP Snooping :

The following command enables and configures DHCP snooping profile:

(host) (config)# vlan-profile dhcp-snooping-profile <profile-name>
(host) (dhcp-snooping-profile “profile-name”)# enable


The following command attaches DHCP Snooping profile on the VLAN:

(host) (config) # vlan <id>
(host) (“vlan id”)# dhcp-snooping-profile <profile name>


The following command adds a static binding on a VLAN:

(host) ("vlan id") #dhcp-snooping-database <mac> gigabitethernet <slot/module/port> <ip_address>

The following command deletes a static binding on a VLAN:

(host) ("vlan id") #no dhcp-snooping-database <mac> gigabitethernet <slot/module/port> <ip_address>


Sample Configuration

Create DHCP Snooping vlan profile and enable dhcp snooping.

(ArubaS2500-24P) (config) #vlan-profile dhcp-snooping-profile DHCP_SNOOPING
(ArubaS2500-24P) (dhcp-snooping-profile "DHCP_SNOOPING") #enable

Apply DHCP Snooping profile to VLAN.

(ArubaS2500-24P) (config) #vlan 5
(ArubaS2500-24P) (VLAN "5") #dhcp-snooping-profile DHCP_SNOOPING

 

Create static DHCP Snooping binding.

(ArubaS2500-24P)(VLAN "5") #dhcp-snooping-database 00:b0:d0:86:bb:f7 gigabitethernet  3/0/20 1.1.1.1

Configuring IP Source Guard :

(host)(config)# interface-profile port-security-profile <profile-name>
(host)(Port security profile "profile-name")#ip-src-guard


Configuring Dynamic ARP Inspection :

(host)(config)# interface-profile port-security-profile <profile-name>
(host)(Port security profile "profile-name")#dynamic-arp-inspection


To enable the Port Security functionality on an interface, you must attach a port-security profile to it. Use the following commands to associate a port-security profile with an interface:

For Gigabitethernet:

(host)(config) #interface gigabitethernet <slot/mod/port>
(host)(gigabitethernet "<slot/mod/port>") #port-security-profile <profile-name>


For Port-channel:

(host) (config) #interface port-channel <id>
(host) (port-channel "<id>") #port-security-profile <profile-name>

 

To Display entire dhcp snooping table :

(ArubaS2500-24P)#show dhcp-snooping-database

Total DHCP Snoop Entries : 2
Learnt Entries : 1, Static Entries : 1

DHCP Snoop Table
----------------
MAC                      IP           BINDING-STATE         LEASE-TIME                 VLAN-ID    INTERFACE
---                      --           -------------         ----------                 -------    ---------
00:b0:d0:86:bb:f7     1.1.1.1         Static entry           No lease time                5        g3/0/20
00:1b:63:84:45:e6   172.5.255.254     Dynamic entry       2013-11-01 00:38:02 (PST)       5        g3/0/20

To view the Port security profile :


(ArubaS2500-24P) (config) #show interface-profile port-security-profile ps1

    Port security profile "ps1"
---------------------------------------
  Parameter                                        Value
  ---------                                        -----
IPV6 RA Guard Action                                N/A
IPV6 RA Guard Auto Recovery Time                    N/A
MAC Limit                                           N/A
MAC Limit Action                                    N/A
MAC Limit Auto Recovery Time                        N/A
Trust DHCP                                          N/A
Port Loop Protect                                   N/A
Port Loop Protect Auto Recovery Time                N/A
Sticky MAC                                          N/A
IP Source Guard                                   Enabled
Dynamic Arp Inspection                            Enabled

To list the interfaces that have IPSG enabled :

(ArubaS2500-24P) #show ip source-guard

IPSG interface Info
-------------------
Interface   IPSG
----------  ----
GE1/0/20    Enabled
GE2/0/20    Enabled
GE3/0/20    Enabled


To Display list of IP + Mac combination permitted on a particular interface :

(ArubaS2500-24P) #show ip source-guard interface gigabitethernet 3/0/20 detail

IPSG allowed users on the interface
-----------------------------------
IP Address     Mac Address        VLAN
----------     -----------        ----
1.1.1.1        00:00:00:00:00:01  5
172.5.254.255  00:00:00:4d:67:ca  5
172.5.255.254  00:00:00:5f:2c:7d  5

 

Version History
Revision #:
1 of 1
Last update:
‎07-11-2014 02:20 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.