DHCP Snooping and Dynamic ARP Inspection

Unanswered Question
Sep 28th, 2009
User Badges:

Hi,


In order to reduce the impact of ARP spoofing attacks, I would like implement DHCP snooping and dynamic Arp inspection feature features on our Cisco enterprise network.


Test were conclusive for all devices connected directly to cisco switches.


However, I still have problems with devices connected to SOHO unmanaged switches.


Could you indicate me please, how I can overcome this problem.


You can find in attachment an example diagram.


Printer1 and PC2 cause connectivity problem when port Fa0/23 on switch S2 is configured as untrusted.


When I configure that port as trusted, I still can operate successfull ARP spoofing attacks with Cain & Abel software.



Best Regards,

Mustapha



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Mon, 09/28/2009 - 02:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Mustapha,

indeed DHCP snooping and DAI would fit with a design where no unmanaged switches are present so that a one-to-one corrispondence between MAC addresses of PCs and printers and ports can be done.


in your case you could just use port security with DHCP snooping trusted state as a way to mitigate at least MAC flood attacks.


Hope to help

Giuseppe


Actions

This Discussion