Friday, December 6, 2019

Configuring Layer 2 Data Plane Security on a Cisco Switch

Task 1: Configure DHCP Snooping


Verify the IP Address on Kali Linux using the ifconfig command.

root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.110  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::20c:29ff:fe39:467e  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:39:46:7e  txqueuelen 1000  (Ethernet)
        RX packets 43330  bytes 45725937 (43.6 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 35108  bytes 4125265 (3.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 448  bytes 31044 (30.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 448  bytes 31044 (30.3 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


Verify IP forwarding is enabled. A value of 0 means IP forwarding is disabled and 1 means it's enabled.

Enable IP forwarding using the echo command.

root@kali:~# cat /proc/sys/net/ipv4/ip_forward
0
root@kali:~# echo 1 >> /proc/sys/net/ipv4/ip_forward
root@kali:~# cat /proc/sys/net/ipv4/ip_forward
1


The Cisco ASA firewall is acting both as the DCHP server and default gateway in my lab.

LAB-ASA5515x# show run dhcpd
dhcpd address 192.168.1.10-192.168.1.50 inside
dhcpd dns 8.8.8.8 4.2.2.2 interface inside
dhcpd domain lab.com interface inside
dhcpd enable inside


Configure a rogue DHCP server in Kali Linux using the dnsmasq command with the following parameters:

IP address range: 192.168.1.100 - 192.168.1.150

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.1.110 (Kali Linux)

DNS Server: 192.168.1.110

Domain Name: lab.net

DHCP Lease time: 1 day (24 hours)

root@kali:~# dnsmasq -d -F 192.168.1.100,192.168.1.150,255.255.255.0,1d --dhcp-option=3,192.168.1.110 --dhcp-option=15,"lab.net" --dhcp-option=6,192.168.1.110 -p 0
dnsmasq: started, version 2.80 DNS disabled
dnsmasq: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
dnsmasq-dhcp: DHCP, IP range 192.168.1.100 -- 192.168.1.150, lease time 1d


Install Yersinia in Kali Linux using the apt-get install command and launch a DCHP starvation attack

root@kali:~# yersinia -h
-bash: yersinia: command not found
root@kali:~# apt-get install yersinia
Reading package lists... Done
Building dependency tree      
Reading state information... Done
The following packages were automatically installed and are no longer required:
  leafpad libisl19 liblirc-client0 liblouis17 libnfs12 libomp5-7 libproj13 miranda python-dns
  python-dnslib python-jsonpickle python-m2crypto python-pyqt5 python-twisted-web python-typing
  sslcaudit sslstrip
Use 'apt autoremove' to remove them.
The following NEW packages will be installed:
  yersinia
0 upgraded, 1 newly installed, 0 to remove and 881 not upgraded.
Need to get 166 kB of archives.
After this operation, 464 kB of additional disk space will be used.
Get:1 http://ftp.yzu.edu.tw/Linux/kali kali-rolling/main amd64 yersinia amd64 0.8.2-2+b1 [166 kB]
Fetched 166 kB in 3s (48.9 kB/s)  

Selecting previously unselected package yersinia.
(Reading database ... 359644 files and directories currently installed.)
Preparing to unpack .../yersinia_0.8.2-2+b1_amd64.deb ...
Unpacking yersinia (0.8.2-2+b1) ...
Setting up yersinia (0.8.2-2+b1) ...
Processing triggers for man-db (2.8.7-3) ...


Launch the Yersinia tool in the interactive mode.

root@kali:~# yersinia -I
 Error: I need at least 25 rows and 80 columns for a proper display!!
        I can't work with only 24 rows and 102 columns, who do you think I am?
        Get a bigger window, press a key, and rerun yersinia :)

 
I was unable to run Yersinia in Secure CRT so I ran in a Kali Linux terminal instead.


Press g to display Choose protocol mode > select DHCP (using the up/down arrow key) > press Enter.



Press x > 1 to select sending DISCOVER packets.




Change the LAN adapter setting on Win7 machine (from static IP 192.168.1.130) to auto obtain an IP address via DHCP.

Go to Control Panel > Network and Internet > View network status and tasks > Change adapter settings > right-click Local Area Connection > Properties.
 

Select Internet Protocol Version 4 (TCP/IPv4) > select Obtain an IP address automatically > select Obtain DNS server address automatically > click OK.


Issue an ipconfig on Win7 to view its current IP address.

Notice it obtain the rogue DHCP IP address: 192.168.1.114, Default Gateway: 192.168.1.110 (Kali Linux), DNS Suffix Search List: lab.net and DHCP Lease of 24 hours (1d).
 

Mitigate the DHCP spoofing attack by enabling DHCP snooping on SW1.

Enable console logging on SW1.

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#logging ?
  buffered          Set buffered logging parameters
  buginf            Enable buginf logging for debugging
  cns-events        Set CNS Event logging level
  console           Set console logging parameters
  count             Count every log message and timestamp last occurance
  exception         Limit size of exception flush output
  facility          Facility parameter for syslog messages
  file              Set logging file parameters
  history           Configure syslog history table
  host              Set syslog server IP address and parameters
  monitor           Set terminal line (monitor) logging parameters
  on                Enable logging to all enabled destinations
  rate-limit        Set messages per second limit
  reload            Set reload logging level
  source-interface  Specify interface for source address in logging transactions
  trap              Set syslog server logging level

SW1(config)#logging console
SW1(config)#do terminal monitor


Enable DHCP snooping.

SW1(config)#ip dhcp ?
  conflict                   DHCP address conflict parameters
  database                   Configure DHCP database agents
  excluded-address           Prevent DHCP from assigning certain addresses
  limited-broadcast-address  Use all 1's broadcast address
  ping                       Specify ping parameters used by DHCP
  pool                       Configure DHCP address pools
  relay                      DHCP relay agent parameters
  smart-relay                Enable Smart Relay feature
  snooping                   DHCP Snooping

SW1(config)#ip dhcp snooping ?
  database     DHCP snooping database agent
  information  DHCP Snooping information
  verify       DHCP snooping verify
  vlan         DHCP Snooping vlan
  <cr>

SW1(config)#ip dhcp snooping


Configure the DHCP snooping database in flash memory.

SW1(config)#ip dhcp snooping database flash:/dhcp-snoop.db
SW1(config)#
8w4d: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is not running; reloaded binding lease expiration times are incorrect.
8w4d: %DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database Write succeeded.


Configure the interface connected to the legitimate DHCP server (Cisco ASA firewall) as trusted.

SW1(config)#do show run interface f0/8
Building configuration...

Current configuration : 77 bytes
!
interface FastEthernet0/8
 description ### ASA5515x: 192.168.1.1 ###
end

SW1(config)#interface f0/8
SW1(config-if)#ip dhcp ?
  client    DHCP client configuration
  relay     DHCP relay configuration parameters
  snooping  DHCP Snooping

SW1(config-if)#ip dhcp snooping ?
  limit  DHCP Snooping limit
  trust  DHCP Snooping trust config
  vlan   DHCP Snooping vlan

SW1(config-if)#ip dhcp snooping trust


You need to configure NTP for DHCP snooping to work properly.

SW1(config-if)#
8w4d: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is not running; reloaded binding lease expiration times are incorrect.

CSRv#show run | i ntp
ntp server 162.159.200.1
ntp server 34.208.249.133

CSRv#show clock
16:16:15.590 SGT Fri Nov 29 2019


SW1(config)#ntp server 162.159.200.1
SW1(config)#do show clock
.08:15:42.184 UTC Fri Nov 29 2019
SW1(config)#
SW1(config)#clock timezone ?
  WORD  name of time zone

SW1(config)#clock timezone SGT ?
  <-23 - 23>  Hours offset from UTC

SW1(config)#clock timezone SGT +8
SW1(config)#
8w4d: %SYS-6-CLOCKUPDATE: System clock has been updated from 08:16:59 UTC Fri Nov 29 2019 to 16:16:59 SGT Fri Nov 29 2019, configured from console by vty0 (192.168.1.100).
SW1(config)#do show clock       
16:17:06.300 SGT Fri Nov 29 2019


Configure DHCP snooping on VLAN 1. I just have a flat network in my lab.

SW1(config)#ip dhcp snooping ?
  database     DHCP snooping database agent
  information  DHCP Snooping information
  verify       DHCP snooping verify
  vlan         DHCP Snooping vlan
  <cr>

SW1(config)#ip dhcp snooping vlan ?
  WORD  DHCP Snooping vlan fist number or vlan range, example: 1,3-5,7,9-11

SW1(config)#ip dhcp snooping vlan 1


Configure DHCP snooping rate limit on SW1 interface F0/1 where Kali Linux (Attacker) is connected.

SW1#show run interface f0/1
Building configuration...

Current configuration : 128 bytes
!
interface FastEthernet0/1
 description ### NUC VM PC : 192.168.1.100 ###
 switchport mode access
 spanning-tree portfast
end

SW1(config)#interface f0/1
SW1(config-if)#ip dhcp snooping ?
  limit  DHCP Snooping limit
  trust  DHCP Snooping trust config
  vlan   DHCP Snooping vlan

SW1(config-if)#ip dhcp snooping limit ?
  rate  DHCP Snooping limit

SW1(config-if)#ip dhcp snooping limit rate ?
  <1-2048>  DHCP snooping rate limit

SW1(config-if)#ip dhcp snooping limit rate 10
SW1(config-if)#do terminal monitor


Launch again Yersinia in interactive mode.
 



SW1 interface F0/1 went into err-disable due to exceeded DHCP packets received on F0/1 (rogue DHCP server).

SW1#
3d21h: %DHCP_SNOOPING-4-DHCP_SNOOPING_ERRDISABLE_WARNING: DHCP Snooping received 10 DHCP packets on interface Fa0/1
3d21h: %PM-4-ERR_DISABLE: dhcp-rate-limit error detected on Fa0/1, putting Fa0/1 in err-disable state
3d21h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
3d21h: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down

SW1#show interface f0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
  Hardware is Fast Ethernet, address is 0023.5d47.4b82 (bia 0023.5d47.4b82)
  Description: ### NUC VM PC : 192.168.1.100 ###
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 10/100BaseTX
  input flow-control is off, output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:13:28, output 00:00:34, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     3915877 packets input, 1095499125 bytes, 0 no buffer
     Received 3688939 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 26326 multicast, 0 pause input
     0 input packets with dribble condition detected
     498804 packets output, 253781045 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


Re-enable the interface with a shutdown/no shutdown command.

SW1(config)#interface f0/1
SW1(config-if)#shutdown
SW1(config-if)#no shutdown
3d21h: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
SW1(config-if)#
3d21h: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
3d21h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up


You'll also need to ensure the switch has enough memory to support DHCP snooping

SW1(config-if)#
%SYS-2-MALLOCFAIL: Memory allocation of 756 bytes failed from 0x321D50, alignment 0
Pool: I/O  Free: 2280  Cause: Memory fragmentation
Alternate Pool: None  Free: 0  Cause: No Alternate pool

-Process= "DHCP Snooping", ipl= 0, pid= 158
-Traceback= BB37CC F48B40 F4DAF8 321D54 3221D0 324EF8 321020 3213D8 8E7ADC BE6EA4 BE7360 975510 96CAE4
SW1(config-if)#
SW1(config-if)#no ip dhcp snooping vlan 1


Disable/re-enable Win7 LAN adapter to retrieve a new DHCP IP address (from ASA).

Notice the new IP address 192.168.1.14 is from ASA (192.168.1.1) DHCP server pool.


Verify DHCP snooping configuration using the show ip dhcp snooping command.

SW1#show ip dhcp ?
  binding   DHCP address bindings
  conflict  DHCP address conflicts
  database  DHCP database agents
  import    Show Imported Parameters
  relay     Miscellaneous DHCP relay information
  server    Miscellaneous DHCP server information
  snooping  DHCP snooping

SW1#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP snooping is configured on the following Interfaces:

Insertion of option 82 is enabled
   circuit-id format: vlan-mod-port
    remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface                    Trusted     Rate limit (pps)
------------------------     -------     ----------------
FastEthernet0/1              no          10       
FastEthernet0/8              yes         unlimited


To verify dynamic DHCP binding in the DHCP snooping database, issue a show ip dhcp snooping binding command.

SW1#show ip dhcp snooping ?     
  binding   DHCP snooping bindings
  database  DHCP snooping database agent
  |         Output modifiers
  <cr>

SW1#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
Total number of bindings: 0


To verify the status of the DHCP snooping database.

SW1#show ip dhcp snooping database
Agent URL : flash:/dhcp-snoop.db
Write delay Timer : 300 seconds
Abort Timer : 300 seconds

Agent Running : No
Delay Timer Expiry : Not Running
Abort Timer Expiry : Not Running

Last Succeded Time : 05:28:36 SGT Fri Mar 5 1993
Last Failed Time : None
Last Failed Reason : No failure recorded.

Total Attempts       :        1   Startup Failures :        0
Successful Transfers :        1   Failed Transfers :        0
Successful Reads     :        1   Failed Reads     :        0
Successful Writes    :        0   Failed Writes    :        0
Media Failures       :        0


Task 2: Configure ARP Inspection

There's an error when installing arpspoof in Kali Linux. Install dsniff instead.

root@kali:~#  apt-get install arpspoof
Reading package lists... Done
Building dependency tree      
Reading state information... Done
E: Unable to locate package arpspoof


root@kali:~# sudo apt install dsniff
Reading package lists... Done
Building dependency tree      
Reading state information... Done
The following packages were automatically installed and are no longer required:
  leafpad libisl19 liblirc-client0 liblouis17 libnfs12 libomp5-7 libproj13 miranda python-dns
  python-dnslib python-jsonpickle python-m2crypto python-pyqt5 python-twisted-web python-typing
  sslcaudit sslstrip
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
  libnids1.21
The following NEW packages will be installed:
  dsniff libnids1.21
0 upgraded, 2 newly installed, 0 to remove and 904 not upgraded.
Need to get 130 kB of archives.
After this operation, 496 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://ftp.yzu.edu.tw/Linux/kali kali-rolling/main amd64 libnids1.21 amd64 1.24-5 [27.0 kB]
Get:2 http://ftp.yzu.edu.tw/Linux/kali kali-rolling/main amd64 dsniff amd64 2.4b1+debian-29 [103 kB]
Fetched 130 kB in 3s (38.7 kB/s)
Selecting previously unselected package libnids1.21:amd64.
(Reading database ... 359657 files and directories currently installed.)
Preparing to unpack .../libnids1.21_1.24-5_amd64.deb ...
Unpacking libnids1.21:amd64 (1.24-5) ...
Selecting previously unselected package dsniff.
Preparing to unpack .../dsniff_2.4b1+debian-29_amd64.deb ...
Unpacking dsniff (2.4b1+debian-29) ...
Setting up libnids1.21:amd64 (1.24-5) ...
Setting up dsniff (2.4b1+debian-29) ...
Processing triggers for libc-bin (2.29-1) ...
Processing triggers for man-db (2.8.7-3) ...


Perform an ARP poisoning to redirect traffic from Win7 to the Attacker (Kali Linux).

root@kali:~# arpspoof -i eth0 -t 192.168.1.14 192.168.1.1
0:c:29:39:46:7e 0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e 0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e 0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
<SNIP>


Open another terminal to perform ARP poisoning in the opposite direction: Cisco ASA (default gateway) to Win7.

root@kali:~# arpspoof -i eth0 -t 192.168.1.1 192.168.1.14
0:c:29:39:46:7e b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:39:46:7e
<SNIP>


Launch a Wireshark in Kali Linux under Applications > 09 - Sniffing and Spoofing > Wireshark.


Double-click eth0 to start the packet capture.


Telnet from Win7 to SW1 (192.168.1.3).



Click Stop (red square icon) > type a filer: ip.addr==192.168.1.3 > click go (blue arrow icon).


Select a TELNET packet > right-click > Follow > TCP Steam.


Notice the output for Telnet and enable password: cisco were displayed in clear text.



Configure ARP inspection for VLAN 1 using the ip arp inspection command.

SW1(config)#ip arp ?
  gratuitous  Gratuitous ARP control
  inspection  Arp Inspection configuration
  proxy       Global proxy ARP configuration

SW1(config)#ip arp inspection ?
  filter      Specify ARP acl to be applied
  log-buffer  Log Buffer Configuration
  validate    Validate addresses
  vlan        Enable/Disable ARP Inspection on vlans

SW1(config)#ip arp inspection vlan ?
  WORD  vlan range, example: 1,3-5,7,9-11

SW1(config)#ip arp inspection vlan 1
SW1(config)#
3d22h: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 1.([000c.2939.467e/192.168.1.14/b0fa.eb97.72c9/192.168.1.1/15:31:45 SGT Tue Dec 3 2019])
3d22h: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 1.([000c.2939.467e/192.168.1.14/b0fa.eb97.72c9/192.168.1.1/15:31:47 SGT Tue Dec 3 2019])
3d22h: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 1.([000c.2939.467e/192.168.1.14/b0fa.eb97.72c9/192.168.1.1/15:31:49 SGT Tue Dec 3 2019])
3d22h: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 1.([000c.2939.467e/192.168.1.14/b0fa.eb97.72c9/192.168.1.1/15:31:51 SGT Tue Dec 3 2019])


Stop the ARP spoofing in Kali Linux by pressing Ctrl+z.

0:c:29:39:46:7e 0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e 0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
^Z
[1]+  Stopped                 arpspoof -i eth0 -t 192.168.1.14 192.168.1.1


0:c:29:39:46:7e b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:68:20:13
0:c:29:39:46:7e b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:68:20:13
^C0:c:29:39:46:7e b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:68:20:13
^Z
[1]+  Stopped                 arpspoof -i eth0 -t 192.168.1.1 192.168.1.14


Verify ARP inspection using the show ip arp inspection command.

SW1#show ip arp ?
  Async                Async interface
  BVI                  Bridge-Group Virtual Interface
  CTunnel              CTunnel interface
  Dialer               Dialer interface
  FastEthernet         FastEthernet IEEE 802.3
  Filter               Filter interface
  Filtergroup          Filter Group interface
  GigabitEthernet      GigabitEthernet IEEE 802.3z
  H.H.H                48-bit hardware address of ARP entry
  Hostname or A.B.C.D  IP address or hostname of ARP entry
  Lex                  Lex interface
  Loopback             Loopback interface
  Null                 Null interface
  Port-channel         Ethernet Channel of interfaces
  Portgroup            Portgroup interface
  Pos-channel          POS Channel of interfaces
  Tunnel               Tunnel interface
  Vif                  PGM Multicast Host interface
  Virtual-Template     Virtual Template interface
  Virtual-TokenRing    Virtual TokenRing
  Vlan                 Catalyst Vlans
  fcpa                 Fiber Channel
  inspection           Status of ARP Inspection
  summary              IP ARP table summary
  |                    Output modifiers
  <cr>

SW1#show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    1     Enabled          Active                        

 Vlan     ACL Logging      DHCP Logging
 ----     -----------      ------------
    1     Deny             Deny 

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    1              0            114            114              0

 Vlan   DHCP Permits    ACL Permits   Source MAC Failures
 ----   ------------    -----------   -------------------
    1              0              0                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
         
 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    1                   0                        0                       0


SW1#show ip arp inspection statistics

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
    1              0            161            161              0

 Vlan   DHCP Permits    ACL Permits   Source MAC Failures
 ----   ------------    -----------   -------------------
    1              0              0                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
    1                   0                        0  


SW1#show ip arp inspection vlan 1

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    1     Enabled          Active                        

 Vlan     ACL Logging      DHCP Logging
 ----     -----------      ------------
    1     Deny             Deny 
 

No comments:

Post a Comment