Is there a way to detect ARP snooping (man in the middle attack), with the MS 250? I turned on DIA, but that didn't stop the test attack. It did prevent credentials from being captured. Is there anyway to stop an attack or at least detect it and notify?
you also disabled trust status on the port you tested?
you also had already turned on dhcp snooping on your network for some time ? not sure how this works at meraki but with catalyst the switch need to see dhcp packets first to fill the dhcp snooping table.
.
@ww wrote:you also had already turned on dhcp snooping on your network for some time ? not sure how this works at meraki but with catalyst the switch need to see dhcp packets first to fill the dhcp snooping table.
.
Oh wow... When I saw "DIA" in the first post it never clicked that was a typo for DAI.
it must be Friday and my brain is already off for the weekend.
Dynamic ARP Inspection should be what you're after.
https://documentation.meraki.com/MS/Other_Topics/Dynamic_ARP_Inspection
Lets assume we are only talking about IPv4.
You can block ARP spoofing. Snooping is a different matter.
ARP queries are sent as a broadcast. They go out every port in the VLAN that the host belongs to. This is fundamental to ARP and there is no way to stop this.
So if you sit their with a packet sniffer you'll evenually capture enough ARP traffic to build up a list of (MAC,IP Address) combinations.
If you *really* want to stop ARP snooping put every port into its own seperate VLAN and use /30 stubs.