2

I have a number of servers running on Dell switches which are used by clients for their projects. Occasionally some clients put other client IP addresses on their server (presumably by accident) and even though I can prevent them from using those IP addresses with ACL rules I can not prevent them from responding to ARP messages with stolen IP address, which messes server accessibility of original IP owner. All of the switch ports are on the same VLAN and I can't split ports into different VLANs for routing and IP limitation reasons.

I was wondering what are the possible ways of preventing the unauthorized ports/mac from replying to "ARP who has" messages with someone else's IP.

EDIT:

I mostly use Dell S4810 switches. I, of course, tried looking up the manual about the solution to my problem, however, the best that I could find is "dynamic arp inspection" which uses DHCP database to validate IP addresses to MACs. My clients often use large portions of external IP addresses on virtual machines, so locking them directly to a single MAC address is a little complicated. To add to the problem is their ability to move IP addresses from one server to another on another switch port.

I have implemented heavy SNMP logging of alerts and traps. I am now leaning towards a complex scripting solution which would check collected "IP to MAC" address logs and compare them with client-owned server/VM MACs for any irregularities and based on some sort of calculation determine whether someone is stealing someone else's IP and simply turn off the port of malicious activity source.

The general idea of this post was to gather ideas of other solutions. Appreciate all the input.

Andrew Davis
  • 95
  • 1
  • 9

2 Answers2

3

Many switches have ARP protection/ARP inspection/IP source guard mechanisms which can be enabled to police all ARP traffic passing through the switch and enforce the MAC-to-IP bindings. These can learn appropriate bindings dynamically from DHCP (snooping), or you can statically set them which is probably what you need here.

However, I'm not sure about the availability of this feature on Dell's products. I grabbed a PowerConnect 5448 manual (admittedly pretty old now) and couldn't find mention of it...

Mintra
  • 531
  • 3
  • 7
  • It's Dell S4810 - FTOS 9.11. Tried going over the manual, however, couldn't find anything useful besides "dynamic arp inspection" which isn't that great. – Andrew Davis May 08 '18 at 12:32
  • I had a look in the manual and `arp inspection` is what I was thinking of. You would be able to use that with the `ip dhcp snooping binding ...` command to enforce IP address to MAC address bindings for all ARP traffic flowing through the switch. However, your latest comment on mfinni's answer below makes me think this is still not the ideal solution because you want clients to be able to change addresses freely between their own servers, which this would prevent. In that case only separate VLANs and routing, I'm afraid! – Mintra May 09 '18 at 13:51
2

Will your Dell switches allow you to put in static ARP entries for all of your servers? You didn't post the models or OS version, so I can't look it up for you. I know on Cisco switches, you can also limit the number of ARP entries per port, so if you're not virtualized, you could set each client port to "1" and that might not let changes happen.

That will be a pain to manage, of course.

This sort of problem is pretty much what VLANs are for, so see if you can resolve the obstacles to implementing them.

mfinni
  • 35,711
  • 3
  • 50
  • 86
  • 1
    That won't stop other machines in the same network segment seeing the rogue ARPs so is arguably not a complete solution. Well behaved clients are supposed to probe for other devices on an address before they start using it themselves but even if they can be trusted to do that it's a who-gets-there-first situation... – Mintra May 04 '18 at 15:51
  • Sure - I'm running on the assumption that the first one to get the IP was correct, and it's a subsequent typo by a different customer; that's why I couched it as a "might work, won't work well" solution, and that they should try to get to VLANs. – mfinni May 04 '18 at 17:24
  • As "Mintra" stated, it won't stop this sort of activity from happening on my network. It's a rather complex network, meaning that clients can easily move their IP addresses from one server to another they own. I am trying to catch ideas on it. Thanks for the input! – Andrew Davis May 08 '18 at 11:46