Routing – ARP spoofing in different VLAN

arplayer2layer3routingvlan

I want to know if I'm protected for ARP spoofing.

In my network, all PCs, printers, phones and servers are in distinct VLANs. I got a layer 3 switch for servers, which handles routing between these VLANs, and layer 2 switches for connecting PCs, printers and phones. I use DHCP snooping to be sure that only my DHCP server is giving IP addresses. I have an internet gateway in the same VLAN used for servers. I don't have any specific configuration for ARP on the layer 2 and 3 switches.

Since ARP is blocked by routers, am I open or not to ARP spoofing?

Best Answer

ARP spoofing only works on a LAN, not across LANs, so you are safe from ARP spoofing from outside a LAN. Unfortunately, most successful attacks happen from within a network. For example, a host on your network could be compromised (look at other SE sites to see the large quantity of questions from workers looking to bypass a company's network security to be able to play games or stream videos). Since you are running DHCP snooping, you could add DAI (Dynamic ARP Inspection) to prevent ARP spoofing on a LAN.

Related Solutions

HP 2920-48G PoE daisy-chain ARP cache problem

ARP is a layer-3 ("IP") technology. Under normal conditions an ethernet switch should have nothing at all in it's arp cache, because 100% of what it does is layer-2 ("ethernet") switching. The only arp entries would be for management access (eg. the MAC of your machine would be known to it while you have a connection to it.)

If the UI is going away but it's otherwise still passing traffic, that sounds like something is attacking the switch, or otherwise overloading it (eg. thinking it's a router, or other server.)

hp-2810-1# show arp

 IP ARP table

  IP Address      MAC Address       Type    Port
  --------------- ----------------- ------- ----
  192.168.0.1     000423-c6a4ec     Dynamic Trk1 (the router)

vs.

hp-2810-1# show mac-address 

 Status and Counters - Port Address Table

  MAC Address   Located on Port
  ------------- ---------------
  000423-c6a4ec Trk1           
  000423-c6a4ed Trk1           
  .... (many pages, in fact)

Despite the volume of broadcast traffic through the switch, very little (none) is in the management vlan (10 in my case.)

hp-2810-1# show cpu

4 percent busy, from 178 sec ago
1 sec ave: 3 percent busy
5 sec ave: 2 percent busy
1 min ave: 5 percent busy

OSI Model – Where OSI Model Layers Operate in the Operating System

First off the OSI model is a theoretical model, it doesn't nessacerally exactly match up with reality. Also generally layer models only show layers that actually add or remove something from the packet.

The following answer omits some minor details. Also some details may vary between operating systems, I have the most experiance with linux, some stuff may be different on other operating systems.

This answer also focuses on the basic set-up, many modern network controllers have "offload" features where features that were traditionally the responsibility of the OS kernel are taken over by the network controller.

The network controller is logically divided into two parts, the "MAC" and the "PHY". In some cases MAC and PHY may be integrated into the same chip.

The PHY does the following.

Converting between the wire-level encoding and a stream of binary data units.
Detecting when the line is busy (for half-duplex physical layers).
Detecting the start and of incoming frames.
Generating special wire-level encodings for the start and end of frames.

The MAC does the following.

Translating between data streams at wire-rate and frames in a buffer that the OS can read/write.
Generating/checking/stripping the preamble and FCS.
Notifying the OS through interrupts when incoming frames have been delivered to the buffer.
Implementing Medium access control if needed.
Fitering incoming frames by destination MAC address.

The Kernel implements the following.

Talking to the MAC (using a driver module).
Building and interpreting Ethernet frames (minus the preamble and FCS).
Implementing ARP (or ND for IPv6) to translate between IP and MAC addresses.
Implementing building and interpretation of IP packets.
Forwarding packets to the correct interface based on a routing table.
Packet filtering, NAT etc.
Major transport protocols like TCP and UDP.
Some parts of ICMP.

Daemons and tools running outside the kernel but considered to be part of the OS implement.

DHCP
DNS cache (if used).
Diagnostics like ping and traceroute.
Configuration of kernel features.

Libraries loaded by the application are generally used to implement stuff that runs on top of TCP/UDP including:

SSL/TLS
DNS
HTTP

Best Answer

Related Solutions

HP 2920-48G PoE daisy-chain ARP cache problem

OSI Model – Where OSI Model Layers Operate in the Operating System

Related Topic