arp -a

IrfanKhan4904 · ‎05-13-2024

Our gateway mac address is different when we give arp -a in cmd the mac address is another show when we trace it shows a student mac what could be the problem?

Torbjørn · ‎05-13-2024

Could a student have assigned its own machine the gateway IP address?

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

MHM Cisco World · ‎05-13-2024

Sure this is l2 attack' the hack PC send GARP to all other host it mac and GW IP.

This make traffic forward to hack PC before reforward again.

So hack PC be man in middle see all traffic from host to GW.

you need DAI for this attack.

MHM

IrfanKhan4904 · ‎05-13-2024

Our Gateway original Mac Address is 6cb2.ae41.23d6.
But arp -a showing a04f.85fa.a543.So what is solution ?

Torbjørn · ‎05-13-2024

The simplest immediate solution is to disconnect that client machine. Afterwards you should consider to implement dhcp snooping and dynamic arp inspection

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

IrfanKhan4904 · ‎05-13-2024

how i can implement dhcp snooping and dynamic arp inspection?

Torbjørn · ‎05-14-2024

You first need to configure DHCP snooping with "ip dhcp snooping" and under your uplink interfaces "ip dhcp snooping trust". Are you using IP helpers/dhcp relay in your environment?

Once DHCP snooping is working you can enable ip arp inspection using "ip arp inspection". Note that you will need to create static entries for any hosts with statically assigned ip addresses.

You can read more about DHCP snooping and DAI here:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-9/configuration_guide/ip/b_179_ip_9200_cg/configuring_dhcp.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9500/software/release/17-3/configuration_guide/sec/b_173_sec_9500_cg/configuring_dynamic_arp_inspection.html

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

IrfanKhan4904 · ‎05-14-2024

interface Vlan20
description **** SVI FOR STUDENTS VLAN ****
ip address 172.16.0.3 255.255.0.0
ip helper-address 10.0.0.110

Torbjørn · ‎05-14-2024

You will need to configure "ip dhcp snooping information option allow-untrusted" on distribution switches.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

IrfanKhan4904 · ‎05-14-2024

The following VLAN configurations on our core switch are VLAN 1, VLAN 10, and VLAN 20. Three servers and two access points are connected to the core switch, and their VLAN is 1. Three servers are connected to the switch, and their VLAN is 10. DHCP Server connected with Core switch Port no 1.So port no 1 have to be set as snooping trust, while the other ports will remain unchanged? And will this configuration need to be replicated on the rest of the distribution switches, or will it remain the same?

IrfanKhan4904 · ‎05-14-2024

one Core switch and 35 distribution switches are using in network.Can you help me determine which commands I should use on core switch and which commands I should use on distribution switches?

MHM Cisco World · ‎05-13-2024

As @Torbjørn mention' disconnect this PC and prevent this in feature as I mention use DAI.

MHM

IrfanKhan4904 · ‎05-13-2024

can i configure DAI in Cisco network switches?

MHM Cisco World · ‎05-13-2024

Yes sure you can'

And if you dont use dhcp you can use static DAI.

MHM

IrfanKhan4904 · ‎05-14-2024

One more question is
The following VLAN configurations on our core switch are VLAN 1, VLAN 10, and VLAN 20. Three servers and two access points are connected to the core switch, and their VLAN is 1. Three servers are connected to the switch, and their VLAN is 10. DHCP Server connected with Core switch Port no 1.So port no 1 have to be set as snooping trust, while the other ports will remain unchanged? And will this configuration need to be replicated on the rest of the distribution switches, or will it remain the same?