Question : Problem: Prevent default gateway hijacking?

Yesterday we had a problem where one of our user segment vlans just stopped routing into the core of the network.  Somehow we missed the "duplicate IP address" in the logs and beat our head against the wall looking at the more difficult likely problems first before the simple ones ... OSPF hadn't recalculated, routes were in the routing tables, switch could ping devices on the vlan, devices on vlan could ping default gateway, other devices could ping real IP's of the two routers, VRRP running fine, no apparent problems.

Finally, we saw the "duplicate IP warning"  - matching our DEFAULT GATEWAY!  We tracked the mac down to a particular port on the switch and shut down that port.  We then flushed forwarding tables and ARP tables and reset VRRP and everything back to normal.

Turns out, one of the Unix engineers was running a beta version of Solaris 10 and there's some kind of bug where something was setting HIS machine to the IP address of the default gateway, even though his etc. hosts file was correct.

The question -->  On a stack of 3750's (layer 2 only) - with recent IOS (I forget which version) - is there ANY way to block someone coming on line with the IP address of the default gateway?  If it were layer 3, we could do an ACL.

Answer : Problem: Prevent default gateway hijacking?

Configure Your Catalyst for a More Secure Layer 2:

*Dynamic ARP Inspection:  [Perhaps this could do what you need]

ARP inspection allows the switch to discard ARP packets with invalid IP to MAC address bindings, effectively stopping common man-in-the-middle attacks. ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by broadcasting ARP responses where the attacker claims to be someone else.

To curtail poisoning, Dynamic ARP Inspection (DAI) uses our friend, the DHCP snooping table. There are many options, and you must be careful enabling DAI if all network devices don't support it. The most basic configuration is:

    Switch(config)# ip arp inspection vlan 1

Trunk ports need to be trusted:

    Switch(config)# int range f1/1 - 4 , f2/24
    Switch(config-if)# ip arp inspection trust

You can view the status with:

    Switch# show ip arp inspection ?

Using the features that leverage knowledge gained from DHCP snooping can create a new level of local network security. Combine that with port-level MAC security, and network admins will no longer cringe at the thought of turning on a network connection in a public area. Testing these features in a production environment is, of course, not recommended: Many of them have wicked side effects if configured incorrectly or out of order.
http://enterprisenetworkingplanet.com/netsecur/article.php/3462211
---------------------

Cisco IOS Software Release 12.2(25)SEB:
Dynamic ARP inspection (DAI) and IP Source Guard (IPSG) support added to the IP Base image for the Cisco Catalyst 3750, Catalyst 3560, and Catalyst 3550 series. DAI and IPSG use a higher level of network security by preventing breaches such as "man-in-the-middle" attacks.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/prod_bulletin0900aecd80267801.html
The following software is available for download.
Cisco Catalyst 3750 Series software: http://www.cisco.com/pcgi-bin/tablebuild.pl/cat3750

• Private VLAN support added to the IP Base image for the Cisco Catalyst 3750 and Catalyst 3560.

• Port security for voice VLANs support facilitates the configuration of voice VLANs for access ports such that an IP phone can not be moved within a switch unless the switch is reconfigured. Only one identified, secure PC is allowed per IP phone, and the PC can bypass the IP phone if desired.

• Internet Group Management Protocol (IGMP) Leave Timer Change support.

• Reformation software packaging support allows consistent image naming across the Cisco Catalyst switching portfolio. Cisco IOS Software Release 12.2(25)SEB will support IP Advanced Services, IP Services, IP Base, and LAN Base images. Images formally known as AIS, EMI, SMI, and EI will now map to IP Advanced Services, IP Services, IP Base, and LAN Base, respectively.

Random Solutions  
 
programming4us programming4us