Gateway Mac spoofing prevention (no ip source guard /dynamic arp inspection)

dnv21 · May 7, 2021, 7:26am

In enterprise switch networks which is usually structured with access ,distribution and core i find that sometimes access /distribution layer gets spoofed with gateway mac address . At these layers since ip address configuration of devices connected to ports usually are spread across static or dhcp ip address . Since source guard relies on dhcp snooping binding database having it is not scalable for devices with static ip devices connected to switchports .
Typical setup is like

pc---torswitch--distswitch--corertrwithgw
         |--- roguegwspoofing device

the rogue-spoofing device redirects the gw traffic by spoofing the mac address of gateway ,there by causing loss of ip traffic . Ipsource guard is not scalable here as it is multistack switch it is not feasible to add manually ip source entries . Is there any suggested method to prevent spoofing

lagapidis · May 10, 2021, 5:46am

Hello Venka

In order to deal with such a situation, the best thing to do is to employ the use of DHCP snooping along with dynamic ARP inspection (DAI). DAI will determine the validity of an ARP packet based on the valid MAC address to IP address binding stored in the DHCP snooping database. This will ensure that a device asking for the MAC address of the gateway will not be responded to by an attacker.

These in combination with a good port security implementation will mitigate against virtually all such attacks. Here are the related lessons that will help you out:

I hope this has been helpful!

Laz