2

I have a number of servers running on Dell switches which are used by clients for their projects. Occasionally some clients put other client IP addresses on their server (presumably by accident) and even though I can prevent them from using those IP addresses with ACL rules I can not prevent them from responding to ARP messages with stolen IP address, which messes server accessibility of original IP owner. All of the switch ports are on the same VLAN and I can't split ports into different VLANs for routing and IP limitation reasons.

I was wondering what are the possible ways of preventing the unauthorized ports/mac from replying to "ARP who has" messages with someone else's IP.

EDIT:

I mostly use Dell S4810 switches. I, of course, tried looking up the manual about the solution to my problem, however, the best that I could find is "dynamic arp inspection" which uses DHCP database to validate IP addresses to MACs. My clients often use large portions of external IP addresses on virtual machines, so locking them directly to a single MAC address is a little complicated. To add to the problem is their ability to move IP addresses from one server to another on another switch port.

I have implemented heavy SNMP logging of alerts and traps. I am now leaning towards a complex scripting solution which would check collected "IP to MAC" address logs and compare them with client-owned server/VM MACs for any irregularities and based on some sort of calculation determine whether someone is stealing someone else's IP and simply turn off the port of malicious activity source.

The general idea of this post was to gather ideas of other solutions. Appreciate all the input.

Andrew Davis
  • 95

2 Answers2

3

Many switches have ARP protection/ARP inspection/IP source guard mechanisms which can be enabled to police all ARP traffic passing through the switch and enforce the MAC-to-IP bindings. These can learn appropriate bindings dynamically from DHCP (snooping), or you can statically set them which is probably what you need here.

However, I'm not sure about the availability of this feature on Dell's products. I grabbed a PowerConnect 5448 manual (admittedly pretty old now) and couldn't find mention of it...

Mintra
  • 571
2

Will your Dell switches allow you to put in static ARP entries for all of your servers? You didn't post the models or OS version, so I can't look it up for you. I know on Cisco switches, you can also limit the number of ARP entries per port, so if you're not virtualized, you could set each client port to "1" and that might not let changes happen.

That will be a pain to manage, of course.

This sort of problem is pretty much what VLANs are for, so see if you can resolve the obstacles to implementing them.

mfinni
  • 36,892