1

We have to disable arp poisoning on our dell 5448 switch. Right now it has all our production machines running on it and I'm not a networking guy at all so I don't want to run a command that will disable arp on all ports while setting up something like static arp's per port.

Is there anyway to stop arp poisoning from happening while keeping it open to dynamic arp requests.. or is there a way to slowly move over. Better yet is there a way to just make 1 port have a static arp and all the others are dynamic..

thanks!

Mike
  • 21,910
  • 7
  • 55
  • 79
  • 1
    2nd degree burns prevent acne, but that's not generally a good reason to light your head on fire. Are you sure the problem is worse than the cure? – HopelessN00b Jan 04 '13 at 01:51
  • it's needed for pci compliance by our auditor – Mike Jan 04 '13 at 02:07
  • 3
    I doubt it. I've been through PCI audits before, and never had to do anything as retarded as manually create ARP tables for our switches. I'd seriously suggest that your auditor's an idiot who doesn't have half a clue about what the funny techie words and acronyms mean, and your best approach is to convince him of the error of his ways, and that you can secure your network without this... insanity. – HopelessN00b Jan 04 '13 at 02:15
  • I agree.. we got through 3 other internal pen tests just fine.. this guy is complaining about everything – Mike Jan 04 '13 at 02:20
  • 3
    So get the douchebag fired or assigned to someone else's problem. Ultimately, your company pays these asshats, so I'd stand up to him, and tell him to start being reasonable/competent in a hurry, or risk being replaced by a different auditor/company. – HopelessN00b Jan 04 '13 at 02:28
  • I would nicely explain that if the integrity of an in-scope server is so important that simple ARP spoofing is a problem, why not just secure or encapsulate the services provided by said system in an encryption protocol? – SpacemanSpiff Jan 04 '13 at 05:10
  • The PCI-DSS standard (V2.0) doesn't mention ARP at all. As it's prescriptive, I'd ask which PCI-DSS requirement specifies that this change is needed. – hmallett Jan 04 '13 at 12:57

1 Answers1

1

For anybody who stumbles on this post 6 years later, enabling protection against ARP poisoning doesn't mean blocking dynamic ARP. It means that a server cannot advertise ARP for IP addresses that don't belong to them.

It is a very dangerous idea to disable arp poisoining protections on all port (or to not have it enable). Doing so, might enable a local attacker from hijacking DHCP, DNS servers or Man-in-the-middle other non-authenticated and encrypted services (HTTP for example).

To enable ARP poisonning protection, on Dell, you need to activate DHCP snooping protection, which will activate Dynamic ARP Inspection.

Enabling DHCP Snooping from Dell website To enable DHCP snooping, use the following commands.

  1. Enable DHCP snooping globally.

    CONFIGURATION mode ip dhcp snooping

  2. Specify ports connected to DHCP servers as trusted.

    INTERFACE mode INTERFACE PORT EXTENDER mode ip dhcp snooping trust

  3. Enable DHCP snooping on a VLAN.

    CONFIGURATION mode ip dhcp snooping vlan name

The following commands will show if it is active :

Dell#show arp inspection database

                             Protocol  Address     Age(min) Hardware Address   Interface VLAN   CPU
                             ---------------------------------------------------------------------
                             Internet  10.1.1.251  -        00:00:4d:57:f2:50  Te 1/2    Vl 10  CP
                             Internet  10.1.1.252  -        00:00:4d:57:e6:f6  Te 1/1    Vl 10  CP
                             Internet  10.1.1.253  -        00:00:4d:57:f8:e8  Te 1/3    Vl 10  CP
                             Internet  10.1.1.254  -        00:00:4d:69:e8:f2  Te 1/5   Vl 10  CP
                             Dell#

To see inspection statistics :

Dell#show arp inspection statistics

                             Dynamic ARP Inspection (DAI) Statistics
                             ---------------------------------------
                             Valid ARP Requests           : 0
                             Valid ARP Replies            : 1000
                             Invalid ARP Requests         : 1000
                             Invalid ARP Replies          : 0
                             Dell#

SOURCE

If you need specific devices to send ARP advertisement for ip address that don't belong to them, it is call a gratuitous ARP. Typically for Cisco Switches, you can enable gratuitous arp on specific port basis for server high availability configurations. See Cisco's Website

On Dell, the following command trust ARP for a port. This should not be performed unless necessary.

INTERFACE mode arp inspection-trust
xlash
  • 121
  • 5