Layer 2 Security Feature : Dynamic ARP inspection

We all know about how the ARP works and the importance of it to send the traffic to the endhost, it translates the IP to the mac address. Before we know about the dynamic arp inspection we would need to understand about the ARP poisoining, it is an man in the middle attack works by poisoining the ARP cache database. IP to mac address tables are stored in the arp cache database in the switch or router.

Hacker can poison the arp database by rewriting his own mac address for the default gateway IP so all the users traffic will redirect to the hacker laptop which causes the successful man in the middle attack.

Dynamic ARP inspection works by inspecting the ARP cache database with the help of dhcp snooping database. Yesterday I explained the dhcp snooping so you can look into the article to know how it works. It records the assigned IP with the mac addresses in the dhcp snooping table so the arp inspection would use the dhcp snooping database to find the correct IP to MAC address mappings. In some situations the organization may not enable dhcp snooping so in that case we need to write static arp entries with the help of arp access list. Given below shows the configuration of DIA in Cisco IOS.

DAI in a DHCP Environment Configuration Example

Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip arp inspection trust
Switch(config)# ip arp inspection vlan 5-10

By default all the user ports are assigned with the implicit untrust , it should be enabled as a trust port as shown above to enable DIA and the inspection have to enable on the respective vlans.

DAI in a Non-DHCP Environment Configuration Example

Switch(config)# arp access-list arpacl
Switch(config-arp-acl)# permit ip host 10.1.1.11 mac host 0011.0011.0011
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter arpacl vlan 5
Switch(config)# interface GigabitEthernet1/0/2
Switch(config-if)# no ip arp inspection trust
Use the show ip arp inspection vlan [vlan# or range] command to verify the configuration.

UPGRADING EOS in the ARISTA Switches

UPGRADING EOS in the ARISTA Switches: EOS is the Firmware for Arista Switches whereas IOS for Cisco. This blog post shows the detailed procedures to follow and to upgrade the EOS in the Arista Switches. This Post was supports for any platform or the Version you are going to upgrade in the Arista Switches. This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE-UPGRADING-PROCESS: 1 1) Check the Upgrade Path tool by clicking the below link. https://www.arista.com/en/support/mlag-portal/mlaglist and confirm it is in mlag issu compatible 2) Check if the STP agent is restartable by giving the command switch-1# show spanning-tree bridge detail | grep agent Stp agent restartable : True NOTE : A switch can continue supporting MLAG when its peer is offline if the STP agent is restartable. When one peer is offline, data traffic flows from the devices through the

DIFFERENCE BETWEEN THE LAN AND WAN (local area network ,wide area network

Improve The other difference between LAN and WAN, is the speed of the network . The maximum speed of a LAN can be 1000 megabits per second, while the speed of a WAN can go up to 150 megabits per second. This means the speed of a WAN, is one-tenth of the speed of a LAN. A WAN is usually slower because it has lower bandwidth. Computers in a LAN can share a printer, if they are all in the same LAN. On the other hand, a WAN cannot share a printer, so a computer in one country cannot use a printer in another country. A LAN does not need a dedicated computer to direct traffic to and from the Internet, unlike a WAN that needs a special-purpose computer, whose only purpose is to send and receive data from the Internet. Another LAN vs. WAN comparison is the cost of the network. A WAN is more expensive than a LAN. It is easier to expand a LAN than a WAN. The equipment needed for a LAN is a network interface card (NIC), a switch and a hub. On the other hand, the equipment needed to connec

FORTIGATE ACTIVE PASSIVE UPGRADE

FORTIGATE ACTIVE PASSIVE UPGRADE : This blog post shows the detailed procedures to follow and to upgrade the firmware in the Fortigate Firewall. This Post was supports for any platform or the Version you are going to upgrade in the Fortigate Firewall This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE UPGRADE STEPS: 1 1) Go to the below website and check the Upgrade Path https://docs.fortinet.com/upgrade-tool 2) Next Login to the Fortigate Console and check the HA Status ( it is to be In sync and higher Priority enabled for the required primary device) 3) Login to the Console and give the command Config global – get sys ha status Also check session pickup is in enable to avoid session interruptions in failover. 4) Download all the Firmware’s and the md5 files in the list and check with the software MD5sum.exe to avoid the download errors. NOTE : Must and should configuration backup have t

ABOUT NETWORKING

Search This Blog