Nortel Networks 5510, 5520, 5530 manual ARP Spoofing, Configuration Example

Page 35

Filters and QoS Configuration for ERS 5500

 

 

Technical Configuration Guide

v2.0

NN48500-559

10.1 ARP Spoofing

Figure 3: Arp Spoofing Example

Considering Figure 3 above, host 4 wishes to perform an ARP spoofing man-in-the-middle (MITM) attack. When hosts 2 or 3 wish to communicate with the router, they will send an ARP request for the router’s MAC address. The router (.1) will respond, but as soon as host 4 sends a gARP broadcast claiming it to be the router (.1), hosts 2 and 3 will update their ARP entry for .1 to host 4’s MAC address. Also, host 4 can send a gARP to the router using its MAC address for either host 2 or host 3. Now traffic forwarded or received off the 10.1.1.0/24 for either host 2 or host 3 will go to host 4’s MAC address. Host 4 could then forward the traffic to the real router, drop the traffic, sniff the traffic, or modify the contents of a packet.

It is possible to prevent ARP/MAC spoofing using off-set filters to block any gratuitous ARPs (gARP). Basically, you have to allow broadcast ARP, block any ARP messages using the source IP or target IP of the default gateway, and then allow ARP reply; these filters should not be applied to the router port(s), only on the user ports. In the 4.2 release or higher, a new command has been added to prevent ARP Spoofing between hosts and the router default gateway.

Configuration Example

Assuming the following:

The default gateway is 10.1.25.1

The user ports are ports 26 to 30; we will create an interface group named vlan10 for these ports

In software release 4.2 or higher, you can now use the CLI or WEB interface to enable ARP Spoofing Detection. Continuing from the example above, in release 4.2 or higher, enter the following commands:

5530-24TFD(config)#interface fastEthernet all

5530-24TFD(config-if)#qos arp spoofing port 26-30 default-gateway 10.1.25.1

Overall, using either method above, the ARP Spoofing QoS application performs the following operations:

1.Pass all broadcast ARP requests.

2.Drop all non-broadcast ARP requests.

3.Drop all ARP packets with a source IP address equal to the identified default gateway.

4.Drop all ARP packets with a target IP address equal to the identified default gateway.

5.Pass all ARP responses.

___________________________________________________________________________________________________________________________

Nortel Confidential Information Copyright © 2008 Nortel Networks. All Rights Reserved.

 

External Distribution

34

Page 34 Page 36
Image 35
Page 34 Page 36
Contents Ethernet Routing Switch NN48500-559 Abstract Table of Contents List of Tables List of FiguresText Document UpdatesSymbols ConventionsOverview Ethernet Routing Switch 5500 QoS and Filtering ƒ Layer 2 Classifier Elements ClassificationUntrusted Ports Unrestricted PortsStatistics Actions SupportedQoS Flow Chart Classifier Block Functionality Filter FunctionalityOverall Classification Functionality 7, 15, 31, 63 255, 511, 1025 4095, 8191 32762, or Min = Port Range FunctionalityPolicies Default Policy Drop ActionNN48500-559 Queue Sets 5520-24T-PWRconfig#qos agent buffer large maximum regular5520-24T-PWRconfig#default qos agent buffer Egress CoS Queuing Ethernet Routing Switch 5500 Egress CoS QueuingCoS 5520-24T-PWRconfig#qos agent queue set 5520-24T-PWRconfig#show qos queue-set-assignmentEgress Queue Recommendations 5520-24T-PWRconfig#default qos agent queue-set5520-24T-PWRconfig#qos agent reset-default Bucket Size Traffic Meter and ShapingParameter Description Actual Bucket SizePolicing Traffic Actual Bucket Size in Bytes Actual size in bytes InterfaceExample Bucket Size Max burst rate Committed rate Duration MSec Interface ShaperMeter Bucket Size and Duration 5530-24TFDconfig#show qos if-shaper port Hex Decimal Default Nortel Class of ServiceDefault Nortel CoS Markings BinaryConfig#qos ip-acl name 1..16 character string ? QoS Access Lists ACLACL Configuration IP-ACL ConfigurationConfig#qos l2-acl name 1..16 character string ? 2 L2-ACL ConfigurationACL-Assign Configuration ACL Configuration Example5530H-24TFD#show qos ip-acl Verification5530H-24TFD#show qos acl-assign 5530H-24TFD#show qos policy Changing ACL 5500config#no qos acl-assign5500config#no qos acl-assign 1 port 1/19 5500config#no qos ip-aclDhcp Snooping IP Security FeaturesDhcp Snooping Configuration Dynamic ARP Inspection ConfigurationIP Source Guard IP Source Guard ConfigurationBpdu Filtering Bpdu Filtering ConfigurationQoS Interface Applications QoS Applications Number of Classifiers Used FeatureARP Spoofing Configuration ExampleDhcp Snooping Dhcp Attacks10.3 DoS Bpdu Blocking ERS5500-48T#show qos if-group Configuration Steps Policy ConfigurationRole Combination ERS5500-48T#show qos if-assignIP Element ERS5500-48Tconfig#qos ip-element 1-64000?Classification Adding IP and L2 ElementAdding a Classifier Block Adding a ClassifierParameters and variables Description MetersAdd a New Policy QoS Action Configuration ExamplesPre-defined Values Configure the IP elements Configuration Example 1 Traffic Meter Using Policies12.2.1 ERS5500 Configuration Using Policies Configure the Interface Role CombinationERS5500 Create the classifier block Configure MetersConfigure the Classifier Block Verify the Role Combination Configure the PolicyVerify Operations ERS5500 Create the policyName m1 Verify Classifier and Classifier Block ConfigurationERS5500-24T#show qos classifier-block Verify Policy Configuration Verify that the QoS Policy IP ACL, Dhcp Snooping, ARP Inspection, and Source Guard 12.3.1 ERS5500 ConfigurationERS5500 Add IP address to Vlan 700 and enable Ospf ERS5500 Enable ARP-Inspection for VLAN’s 110 Verify DHCP-Snooping ERS5500 Assign the IP-ACL’s to portsVID Verify ARP InspectionVerify IP Source Guard Verify ACL ConfigurationNN48500-559 NN48500-559 ERS5500-24T#show qos acl-assign TCP Port Range Configuration Example 3 Port Range Using ACL or PolicyERS5500 Create IP elements for UDP port range Configuration Using PoliciesConfigure the Policies ERS5500 Remark all other traffic to Bronze Configuration Using IP-ACL’sCreate Policy 12.5.1 ERS5500 Configuration Using PoliciesERS5500 Assign the L2-ACL’s to ports 12.5.2 ERS5500 Configuration Using IP-ACL’sERS5500 Pass all other traffic with standard CoS 12.6.1 ERS5500 Configuration Using Policies Configuration Example 5 L2 and L3 ClassificationERS5500 Add L2 elements for Vlan 110 Configure Classifier and Classifier BlocksDscp Mapping via Un-restricted Port Role 12.7.1 ERS5500 ConfigurationPolicy Configuration ACL ConfigurationID ID View the Queue AssignmentsVerify Shape Rate Configuration Configuration Example 7 Interface ShapingEnable Shaping on Port Reference Documentation Software BaselineContact us
Top Page Image Contents