Home / server / Questions / 462834
In Process
Mike
Asked: 2013-01-04 17:45:32 +0800 CST

stop arp poisoning on a 5448 powerconnect switch

  • 772

We have to disable arp poisoning on our dell 5448 switch. Right now it has all our production machines running on it and I'm not a networking guy at all so I don't want to run a command that will disable arp on all ports while setting up something like static arp's per port.

Is there anyway to stop arp poisoning from happening while keeping it open to dynamic arp requests.. or is there a way to slowly move over. Better yet is there a way to just make 1 port have a static arp and all the others are dynamic..

thanks!

switch

1 Answers

  1. For anybody who stumbles on this post 6 years later, enabling protection against ARP poisoning doesn't mean blocking dynamic ARP. It means that a server cannot advertise ARP for IP addresses that don't belong to them.

    It is a very dangerous idea to disable arp poisoining protections on all port (or to not have it enable). Doing so, might enable a local attacker from hijacking DHCP, DNS servers or Man-in-the-middle other non-authenticated and encrypted services (HTTP for example).

    To enable ARP poisonning protection, on Dell, you need to activate DHCP snooping protection, which will activate Dynamic ARP Inspection.

    Enabling DHCP Snooping from Dell website To enable DHCP snooping, use the following commands.

    1. Enable DHCP snooping globally.

      CONFIGURATION mode ip dhcp snooping

    2. Specify ports connected to DHCP servers as trusted.

      INTERFACE mode INTERFACE PORT EXTENDER mode ip dhcp snooping trust

    3. Enable DHCP snooping on a VLAN.

      CONFIGURATION mode ip dhcp snooping vlan name

    The following commands will show if it is active :

    Dell#show arp inspection database

                             Protocol  Address     Age(min) Hardware Address   Interface VLAN   CPU
                             ---------------------------------------------------------------------
                             Internet  10.1.1.251  -        00:00:4d:57:f2:50  Te 1/2    Vl 10  CP
                             Internet  10.1.1.252  -        00:00:4d:57:e6:f6  Te 1/1    Vl 10  CP
                             Internet  10.1.1.253  -        00:00:4d:57:f8:e8  Te 1/3    Vl 10  CP
                             Internet  10.1.1.254  -        00:00:4d:69:e8:f2  Te 1/5   Vl 10  CP
                             Dell#

    To see inspection statistics :

    Dell#show arp inspection statistics

                             Dynamic ARP Inspection (DAI) Statistics
                             ---------------------------------------
                             Valid ARP Requests           : 0
                             Valid ARP Replies            : 1000
                             Invalid ARP Requests         : 1000
                             Invalid ARP Replies          : 0
                             Dell#

    SOURCE

    If you need specific devices to send ARP advertisement for ip address that don't belong to them, it is call a gratuitous ARP. Typically for Cisco Switches, you can enable gratuitous arp on specific port basis for server high availability configurations. See Cisco's Website

    On Dell, the following command trust ARP for a port. This should not be performed unless necessary.

    INTERFACE mode arp inspection-trust
    • 1