Ruijie Community

Title: How to prevent ARP spoofing in DHCP environments? [Print this page]

Author: GTAC-Sophia    Time: 2023-7-19 10:26
Title: How to prevent ARP spoofing in DHCP environments?
1. DHCP Snooping + IP Source guard + ARP-check solution
2. DHCP Snooping +DAI solution
Introduction of DHCP Snooping + IP Source guard + ARP-check solution
In the process of obtaining IP addresses dynamically by user PCs, the DHCP Snooping function of the access layer switch records the correct IP and MAC information obtained by user DHCP into the DHCP Snooping software table of the switch; then use the DAI function (pure CPU method) to verify all the ARP messages entering the switch, compare the Sender IP and Sender MAC fields in the ARP messages with the IP+MAC information recorded in the DHCP Snooping table, and release them if they match, otherwise discard them. In this way, if a legitimate user obtains an IP address and then tries to perform ARP spoofing, or if an illegal user privately configures astatic IP address, their ARP checks will fail and such a user will not be able to use the network.
Applied scenarios

This solution is suitable for various environments where the users use DHCP to obtain IP addresses dynamically (requiring the deployment of DHCP snooping to prevent DHCP spoofing), including 802.1Xauthentication environments, web authentication environments, GSN environments, non-authentication environments, etc. It is also particularly suitable for scenarios where PCs set ip addresses privately.   
Case of configuration

a) Requirement

The user gateway is on the core switch, the core switch creates a DHCP Server, the PCs connect to the access switch use dynamic DHCP to obtain IP address, in order to prevent ARP spoofing between downlinked users and downlinked users spoofing the gateway, use DHCP Snooping +DAI solution to solve the ARP spoofing problem.
b) Network Topology



Configuration Tips:
1. Enable DHCP Server function on the core switch (the user side may also use a dedicated DHCP server, the core switch only needs to enable DHCP Relay)   
2. Enable dhcp snooping function globally on the access switch, and open the DHCP Snooping trust port on the uplinked core port.
3. Global DAI detection function is enabled, and the DAI Trust function is enabled on the uplink port.
4. Enable the IP Source Guard function on the interfaces connected to users   
5. Adjust CPP limit and NFPP function, TRUNK reduction optimization
Configuration

1) Configuration on the Core SW:
—Enable the DHCP service function
Ruijie>enable   
Ruijie#configure terminal
Ruijie(config)#service dhcp

—Configure the IP address of the Core SW, i.e. thegateway address of the users
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.1.254255.255.255.0
Ruijie(config-if-VLAN 1)#exit

—Configure DHCP pool
Ruijie(config)#ip dhcp pool vlan1
Ruijie(dhcp-config)#network 192.168.1.0255.255.255.0      
Ruijie(dhcp-config)#dns-server 218.85.157.99                    
Ruijie(dhcp-config)#default-router192.168.1.254               
Ruijie(dhcp-config)#end
Ruijie#wr

2) Configuration on the Access SW
—Enable the DHCP snooping function
Ruijie>enable   
Ruijie#configure terminal
Ruijie(config)#ip dhcp snooping

—Set the interface connecting to the DHCP server toa trusted interface
Ruijie(config)#interface gigabitEthernet 0/49
Ruijie(config-GigabitEthernet 0/49)#ip dhcpsnooping trust  ------> All interfacesof the access switch with DHCP snooping enabled are untrust ports by default,and the switch only forwards DHCP response messages (offers, ACKs) receivedfrom the trust port.

—Enable the DAI function globally
Ruijie(config)#Ruijie(config)#ip arp inspection vlan 1  ------>Enabling DAI detection for vlan 1

—Uplink port set as trust port, no DAI detection
Ruijie(config)#int gigabitEthernet 0/25
Ruijie(config-if-Gigabit Ethernet 0/25)#ip arp inspection trust                                     ------> Messages sent to the CPU after setting the trust function are not detected, but are still sent to the CPU for processing

—IP Source Guard is enabled on the interface to which the user is connected
Ruijie(config)#interface range gigabitEthernet0/1-2 ------>Entering both port 1 and port 2 configuration mode   
Ruijie(config-if-range)#ip verify source port-security               
------>Enable source IP+MAC message detection, write the snooping table formed by DHCP Snooping into the address binding database, please configure ip verfiy soure port-security correctly, do not use ip verify source (only bind IP), some products have limitations, abnormities may occur in the case of only binding IP.

Ruijie(config-if-GigabitEthernet 0/25)#end
Ruijie#write
DAI compulsory optimization function   
1) When the DAI function is enabled, all ARP messages received by the interface will be sent to the CPU for processing. At this time, please make sure to optimize the following functions:
Perform VLAN trimming on the uplink port of the switch or the core switch.
(trunk trimming, for example, only allows vlan1 andvlan9 to pass, the rest of the vlan are not allowed to pass, the command is Ruijie(config-if-GigabitEthernet 0/25)#switchporttrunk allowed vlan remove 2-8,10-4094), to trim unnecessary vlan to avoid ARP message broadcast flooding to all switches, increasing the burden on the switch;

2) Since the packets sent by the gateway to the user come down from the uplink port, the amount of packets may be relatively large, exceeding the default speed limit of NFPP, resulting in the loss of ARP for some users, so it is necessary to turn off the NFPP function of the uplink port.
The overall default NFPP function is left on, with some protection to the CPU.
Ruijie(config)#int g0/25
Ruijie(config-if-GigabitEthernet 0/25)#no nfpparp-guard enable ------>Disable the ARP-guard function of the interface, after disabling this function, incoming data messages of this interface will not be detected by NFPP
Ruijie(config-if-GigabitEthernet 0/25)#no nfppdhcp-guard enable
Ruijie(config-if-GigabitEthernet 0/25)#no nfppdhcpv6-guard enable
Ruijie(config-if-GigabitEthernet 0/25)#no nfppicmp-guard enable   
Ruijie(config-if-GigabitEthernet 0/25)#no nfppip-guard enable
Ruijie(config-if-GigabitEthernet 0/25)#no nfppnd-guard enable      
3) In addition, the default CPP value of the access switch is only 180PPS by default. If DAI is turned on, all ARP messages will be sent to the CPU for processing, which will easily exceed the threshold set by CPP when there are many connected users, leading to ARP discarding some users in the case of a large number of ARP attacks or flooding, which may lead to packet loss. Therefore, it needs to be adjusted, usually recommended to around500PPS, and no adjustment is required for non-DAI solutions.
CPP adjustment method:
Ruijie(config)#cpu-protect type arp pps 500
Note: If the CPP value is too large, it may lead toexcessive CPU, and the speed limit can be reduced appropriately. Therefore, inthe network deployment anti-ARP spoofing model, try to choose other anti-ARPspoofing solutions unless necessary.

Verification
1) Check if the DAI function is enabled
show ip arp inspection vlan 1
2) Check the dhcp snooping table
show ip dhcp snooping binding





Welcome to Ruijie Community (https://community.ruijienetworks.com/) Powered by Discuz! X3.2