EX4500 Vlan Arp - Spoof protection

Dear friends.  


      Is there any body know how to prevent spoof usage in vlan and protect the vlan's ip addresses from arp attacks ?
FireBallITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DavidPresidentCommented:
Well some general things you can do, no matter what the hardware is ..
 * Configure switch so that only specific physical ports can talk to other physical ports.   (Sometimes this is called PVLANS, for private VLANS).  This is great way because there can't be spoofing to begin with, you have to be plugged into the right physical ports to even see what is at the other end.
 * Some switches also have a network access control (NAC) feature, it isn't the same as VLANs, but it does  quarantine sources and destinations.

Here is a good article that addresses common ARP poisoning techniques and how to protect against them.  http://www.thegeekstuff.com/2012/01/arp-cache-poisoning/
btanExec ConsultantCommented:
you are probably looking on DHCP security features in EX
e.g. IP source guard that checks packet header which contains an invalid source IP address or source MAC address, will ensure that the switch does not further forward the packet and discard it instead. As well as also dynamic ARP inspection (DAI) to augment the IP source guard.

Do have the EX connected to DHCP server to the switch and configure the VLAN to which you are adding DHCP security features. Here is an example on the quick setup and verification
http://www.juniper.net/techpubs/en_US/junos15.1/topics/example/port-security-protect-from-spoofing-els.html

You can further check out the "DHCP Snooping" section in this pdf
When enabling DHCP snooping on an EX Series switch, the following
guidelines should be kept in mind:
1. All access ports clients are typically expected to be connected to
are untrusted, and trunk ports, which the network infrastructure is
facing, are trusted by default.

2. On untrusted ports, only DHCP client-type messages such as
discoveries/requests are allowed; all other DHCP packets are
dropped. The switch also builds a DHCP snooping database on
these ports where MAC addresses, port locations, VLAN, and
IP-binding from DHCP exchanges between the client and server
are stored in the database.

3. If you move a network device from one VLAN to another, where
typically the device has to acquire a new IP address, its entry in the
DHCP snooping binding database including the VLAN ID is
updated.

It is important to remember that DAI is entirely dependent on DHCP
snooping, specifically the DHCP snooping binding database. If there is
no corresponding DHCP snooping entry in the binding database, any
ARP packets received on the untrusted port are dropped.
http://www.hiphop-resistance.com/juniperdayone/Configuring%20EX%20Series%20Switches.pdf
FireBallITAuthor Commented:
No btan we do not use dhcp on our devices.

Yes dlethe nice article but it does not include sth. about how to do it on ex4500
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

btanExec ConsultantCommented:
Will be good to link that up with dhcp otherwise I am thinking for small network, may consider simply using static IP addresses and static ARP tables or even put in a static arp entry for the router gateway. Like " arp -s" command for linux environment.

Pardon did not go specific to the model but overall I say the key is to prevent  Man-in-the-middle ( MiM ) attack for such arp spoofing, not forgetting the baseline hardening to prevent switch compromise
•Manage switches in as secure a manner with native VLAN ID not be used for trunking. Always use a dedicated VLAN ID for all trunk ports.
•Set all user ports to non trunking and do configure port-security feature in the switch for more protection. (Note: be careful about configuring the port-security feature.)
•Avoid using VLAN 1 and consider port-security where possible for user ports
•Enable BPDU Guard for STP attack mitigation and use private VLAN where appropriate to further divide L2 networks. And if VTP is used, use MD5 authentication.
•Disabled all unused ports .

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FireBallITAuthor Commented:
Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.