ARP poisoning troubleshooting

It looks like my network got attacked by ARP poisoning. I see spoofing MAC addresses. When I shut down one, another one po up somewhere else. I am not sure how to deal with this. Any thoughts will be greatly appreciated. Thanks
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Defence depends on options that are available on switch.
Dave HoweSoftware and Hardware EngineerCommented:
many switches allow you to shut down a port if more than a certain number of mac addresses are seen from it - that is the usual method (if you have it). Cisco call that "port security" and obviously other vendors call it something else :)

As Predrag says, we would need further info to give a more detailed answer.
leblancAccountingAuthor Commented:
Sorry, My network is all Juniper ex2200 and ex4200. So if I understand correctly, you can shut down some of the ports now to stop this issue? Thx
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

Dave HoweSoftware and Hardware EngineerCommented:
Its a little more subtle than that.

As I read this page by setting a mac limit of (say) 5 you can say that any port on the switch will only accept the first five mac addresses it sees, and any mac addresses beyond those will be dropped (silently) and the action logged.

this means that you can both mitigate the extra macs and identify which port the spoofer is connected to, in order to track them down.

you can also hard-lock certain macs to certain ports if you wish - so that the port will only accept that one mac or list of macs - but that is considerable administrative overhead unless the attached nics are pretty static.

my reading is that, in config mode, at the ethernet-switching-options>>secure-access-port level, the command

set interface all mac-limit 5

would cause the mac limit to go to 5 and drop as the action (default)

you might first want to clear already learned macs with

clear ethernet-switching-table

to prevent any valid users being accidentally locked out by this move; you can also clear down individual ports with the same command (and a final argument of the port should you want to just release one port) should a sixth device (laptop, say) be added to a port legitimately in future.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
leblancAccountingAuthor Commented:
When you set interface all mac-limit 5, will it set for all access ports? I have a stack of 4 48-port switches.
Dave HoweSoftware and Hardware EngineerCommented:
the <all> designates the port on the switch (as in all of them) - you can substitute the actual port if you want to do this at a finer grained level (see the link I posted)
it will need doing per switch, and you should also set the switches to send their logs via syslog to a central machine so you can monitor them for the drop alerts.
leblancAccountingAuthor Commented:
That is a very good idea. I will try that. Now what if my access port is connected to an AP. There are a lot of hosts going through an AP. Correct? So how will I deal with that? Thanks
Dave HoweSoftware and Hardware EngineerCommented:
normally you wouldn't do that with a trunk port, and a AP counts as a trunk (so, exclude the links between switches too)

if its an AP though, normally it will have its own mac table and so forth, and you will have to deal with that separately.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.