You can prevent VLAN logical IP spoofing by blocking the external use of the device IP address. A configurable option is provided, for each port, which detects a duplicate IP address (that is, an address that is the same as the device VLAN IP address) and blocks all packets with a source or destination address equal to that address.
If an ARP packet is received that has the same source IP address as the logical VLAN IP address of the receiving port, all traffic coming to that port (with this MAC address as source/destination address) is discarded by the hardware. After detecting a duplicate IP address, the device sends a gratuitous ARP packet to inform devices on the VLAN about the correct MAC address for that IP address. You can specify a time on a configurable global timer after which the MAC discard record is deleted, and the device resumes accepting packets from that MAC address.
Similarly, you can prevent VRRP IP spoofing by blocking the external use of the virtual IP address. A configurable option is provided, for each port, which detects a duplicate IP address (that is, an address that is the same as the device virtual IP address) and blocks all packets with a source or destination address equal to that address.
If an ARP packet is received that has the same source IP address as the virtual IP address of the receiving port, all traffic coming to that port (with this MAC address as source/destination address) is discarded by the hardware. After detecting a duplicate IP address, the device sends a gratuitous ARP packet to inform devices on the VRRP subnet about the correct virtual router MAC address for that IP address. You can specify a time on a configurable global timer after which the MAC discard record is deleted, and the device resumes accepting packets from that MAC address.
You can stop spoofed IP packets by configuring the switch to forward only IP packets that contain the correct source IP address of your network. By denying all invalid source IP addresses, you minimize the chance that your network is the source of a spoofed DoS attack.
A spoofed packet is one that comes from the Internet into your network with a source address equal to one of the subnet addresses on your network. The source address belongs to one of the address blocks or subnets on your network. To provide spoofing protection, you can use a filter that examines the source address of all outside packets. If that address belongs to an internal network or a firewall, the packet is dropped.
To prevent DoS attack packets that come from your network with valid source addresses, you need to know the IP network blocks in use. You can create a generic filter that:
Permits valid source addresses
Denies all other source addresses
To do so, configure an ingress filter that drops all traffic based on the source address that belongs to your network.
If you do not know the address space completely, it is important that you at least deny private (see RFC1918) and reserved source IP addresses. The following table lists the source addresses to filter.
Address |
Description |
|
---|---|---|
0.0.0.0/8 |
Historical broadcast. High Secure mode blocks addresses 0.0.0.0/8 and 255.255.255.255/16. If you enable this mode, you do not need to filter these addresses. |
|
10.0.0.0/8 |
RFC1918 private network |
|
127.0.0.0/8 |
Loopback |
|
169.254.0.0/16 |
Link-local networks |
|
172.16.0.0/12 |
RFC1918 private network |
|
192.0.2.0/24 |
TEST-NET |
|
192.168.0.0/16 |
RFC1918 private network |
|
224.0.0.0/4 |
Class D multicast |
|
240.0.0.0/5 |
Class E reserved |
|
248.0.0.0/5 |
Unallocated |
|
255.255.255.255/32 |
Broadcast1 |
You can also enable the spoof-detect feature on a port.