Meraki

middlesexherb · ‎May 24 2019

Is there a way to detect ARP snooping (man in the middle attack), with the MS 250? I turned on DIA, but that didn't stop the test attack. It did prevent credentials from being captured. Is there anyway to stop an attack or at least detect it and notify?

ww · ‎May 24 2019

you also disabled trust status on the port you tested?

middlesexherb · ‎May 24 2019

Yes, the only trusted ports go to another switch and the MX.

ww · ‎May 24 2019

you also had already turned on dhcp snooping on your network for some time ? not sure how this works at meraki but with catalyst the switch need to see dhcp packets first to fill the dhcp snooping table.

.

jdsilva · ‎May 24 2019

@ww wrote:
you also had already turned on dhcp snooping on your network for some time ? not sure how this works at meraki but with catalyst the switch need to see dhcp packets first to fill the dhcp snooping table.

.

Oh wow... When I saw "DIA" in the first post it never clicked that was a typo for DAI.

it must be Friday and my brain is already off for the weekend.

http://blog.brokennetwork.ca |

@jdsilva

jdsilva · ‎May 24 2019

Dynamic ARP Inspection should be what you're after.

https://documentation.meraki.com/MS/Other_Topics/Dynamic_ARP_Inspection

http://blog.brokennetwork.ca |

@jdsilva

PhilipDAth · ‎May 24 2019

Lets assume we are only talking about IPv4.

You can block ARP spoofing. Snooping is a different matter.

ARP queries are sent as a broadcast. They go out every port in the VLAN that the host belongs to. This is fundamental to ARP and there is no way to stop this.

So if you sit their with a packet sniffer you'll evenually capture enough ARP traffic to build up a list of (MAC,IP Address) combinations.

If you *really* want to stop ARP snooping put every port into its own seperate VLAN and use /30 stubs.

Meraki

Community

ARP Snooping detection

ARP Snooping detection