Task 1: Configure DHCP Snooping
Press g to display Choose protocol mode > select DHCP (using the up/down arrow key) > press Enter.
Press x > 1 to select sending DISCOVER packets.
Select Internet Protocol Version 4 (TCP/IPv4) > select Obtain an IP address automatically > select Obtain DNS server address automatically > click OK.
Double-click eth0 to start the packet capture.
Telnet from Win7 to SW1 (192.168.1.3).
Click Stop (red square icon) > type a filer: ip.addr==192.168.1.3 > click go (blue arrow icon).
Select a TELNET packet > right-click > Follow > TCP Steam.
Notice the output for Telnet and enable password: cisco were displayed in clear text.
Verify
the IP Address on Kali Linux using the ifconfig command.
root@kali:~#
ifconfig
eth0:
flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet
192.168.1.110 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fe39:467e prefixlen 64
scopeid 0x20<link>
ether 00:0c:29:39:46:7e txqueuelen 1000 (Ethernet)
RX packets 43330 bytes 45725937 (43.6 MiB)
RX errors 0 dropped 0
overruns 0 frame 0
TX packets 35108 bytes 4125265 (3.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0
collisions 0
lo:
flags=73<UP,LOOPBACK,RUNNING> mtu
65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128
scopeid 0x10<host>
loop
txqueuelen 1000 (Local Loopback)
RX packets 448 bytes 31044 (30.3 KiB)
RX errors 0 dropped 0
overruns 0 frame 0
TX packets 448 bytes 31044 (30.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0
collisions 0
Verify IP
forwarding is enabled. A value of 0 means IP forwarding is disabled and 1 means
it's enabled.
Enable IP
forwarding using the echo command.
root@kali:~#
cat /proc/sys/net/ipv4/ip_forward
0
root@kali:~#
echo 1 >> /proc/sys/net/ipv4/ip_forward
root@kali:~#
cat /proc/sys/net/ipv4/ip_forward
1
The Cisco ASA
firewall is acting both as the DCHP server and default gateway in my lab.
LAB-ASA5515x#
show run dhcpd
dhcpd
address 192.168.1.10-192.168.1.50 inside
dhcpd dns
8.8.8.8 4.2.2.2 interface inside
dhcpd
domain lab.com interface inside
dhcpd
enable inside
Configure
a rogue DHCP server in Kali Linux using the dnsmasq
command with the following parameters:
IP
address range: 192.168.1.100 - 192.168.1.150
Subnet
Mask: 255.255.255.0
Default
Gateway: 192.168.1.110 (Kali Linux)
DNS
Server: 192.168.1.110
Domain
Name: lab.net
DHCP
Lease time: 1 day (24 hours)
root@kali:~#
dnsmasq -d -F 192.168.1.100,192.168.1.150,255.255.255.0,1d
--dhcp-option=3,192.168.1.110 --dhcp-option=15,"lab.net"
--dhcp-option=6,192.168.1.110 -p 0
dnsmasq:
started, version 2.80 DNS disabled
dnsmasq:
compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP
conntrack ipset auth DNSSEC loop-detect inotify dumpfile
dnsmasq-dhcp:
DHCP, IP range 192.168.1.100 -- 192.168.1.150, lease time 1d
Install Yersinia in Kali Linux using the apt-get install
command and launch a DCHP starvation attack
root@kali:~#
yersinia -h
-bash:
yersinia: command not found
root@kali:~#
apt-get install yersinia
Reading
package lists... Done
Building
dependency tree
Reading
state information... Done
The
following packages were automatically installed and are no longer required:
leafpad libisl19 liblirc-client0 liblouis17
libnfs12 libomp5-7 libproj13 miranda python-dns
python-dnslib python-jsonpickle
python-m2crypto python-pyqt5 python-twisted-web python-typing
sslcaudit sslstrip
Use 'apt
autoremove' to remove them.
The
following NEW packages will be installed:
yersinia
0
upgraded, 1 newly installed, 0 to remove and 881 not upgraded.
Need to
get 166 kB of archives.
After
this operation, 464 kB of additional disk space will be used.
Get:1 http://ftp.yzu.edu.tw/Linux/kali
kali-rolling/main amd64 yersinia amd64 0.8.2-2+b1 [166 kB]
Fetched
166 kB in 3s (48.9 kB/s)
Selecting
previously unselected package yersinia.
(Reading
database ... 359644 files and directories currently installed.)
Preparing
to unpack .../yersinia_0.8.2-2+b1_amd64.deb ...
Unpacking
yersinia (0.8.2-2+b1) ...
Setting
up yersinia (0.8.2-2+b1) ...
Processing
triggers for man-db (2.8.7-3) ...
Launch
the Yersinia tool in the interactive mode.
root@kali:~#
yersinia -I
Error: I need at least 25 rows and 80 columns
for a proper display!!
I can't work with only 24 rows and 102
columns, who do you think I am?
Get a bigger window, press a key, and
rerun yersinia :)
I was
unable to run Yersinia in Secure CRT so I ran in a Kali Linux terminal
instead.
Press g to display Choose protocol mode > select DHCP (using the up/down arrow key) > press Enter.
Press x > 1 to select sending DISCOVER packets.
Change
the LAN adapter setting on Win7 machine (from static IP 192.168.1.130) to auto obtain an IP address via DHCP.
Go to
Control Panel > Network and Internet > View network status and tasks >
Change adapter settings > right-click Local Area Connection > Properties.
Select Internet Protocol Version 4 (TCP/IPv4) > select Obtain an IP address automatically > select Obtain DNS server address automatically > click OK.
Issue an
ipconfig on Win7 to view its current IP address.
Notice it
obtain the rogue DHCP IP address: 192.168.1.114, Default Gateway: 192.168.1.110
(Kali Linux), DNS Suffix Search List: lab.net and DHCP Lease of 24 hours (1d).
Mitigate
the DHCP spoofing attack by enabling DHCP snooping on SW1.
Enable
console logging on SW1.
SW1#configure
terminal
Enter
configuration commands, one per line.
End with CNTL/Z.
SW1(config)#logging
?
buffered Set buffered logging parameters
buginf Enable buginf logging for debugging
cns-events Set CNS Event logging level
console Set console logging parameters
count Count every log message and
timestamp last occurance
exception Limit size of exception flush output
facility Facility parameter for syslog
messages
file Set logging file parameters
history Configure syslog history table
host Set syslog server IP address and
parameters
monitor Set terminal line (monitor) logging
parameters
on Enable logging to all enabled
destinations
rate-limit Set messages per second limit
reload Set reload logging level
source-interface Specify interface for source address in
logging transactions
trap Set syslog server logging level
SW1(config)#logging
console
SW1(config)#do
terminal monitor
Enable
DHCP snooping.
SW1(config)#ip
dhcp ?
conflict DHCP address conflict
parameters
database Configure DHCP database
agents
excluded-address Prevent DHCP from assigning certain
addresses
limited-broadcast-address Use all 1's broadcast address
ping Specify ping parameters
used by DHCP
pool Configure DHCP address
pools
relay DHCP relay agent
parameters
smart-relay Enable Smart Relay feature
snooping DHCP Snooping
SW1(config)#ip
dhcp snooping ?
database
DHCP snooping database agent
information
DHCP Snooping information
verify
DHCP snooping verify
vlan
DHCP Snooping vlan
<cr>
SW1(config)#ip
dhcp snooping
Configure
the DHCP snooping database in flash memory.
SW1(config)#ip
dhcp snooping database flash:/dhcp-snoop.db
SW1(config)#
8w4d:
%DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is not running; reloaded binding lease
expiration times are incorrect.
8w4d:
%DHCP_SNOOPING-6-AGENT_OPERATION_SUCCEEDED: DHCP snooping database Write
succeeded.
Configure
the interface connected to the legitimate DHCP server (Cisco ASA firewall) as trusted.
SW1(config)#do
show run interface f0/8
Building
configuration...
Current
configuration : 77 bytes
!
interface
FastEthernet0/8
description ### ASA5515x: 192.168.1.1 ###
end
SW1(config)#interface
f0/8
SW1(config-if)#ip
dhcp ?
client
DHCP client configuration
relay
DHCP relay configuration parameters
snooping
DHCP Snooping
SW1(config-if)#ip
dhcp snooping ?
limit
DHCP Snooping limit
trust
DHCP Snooping trust config
vlan
DHCP Snooping vlan
SW1(config-if)#ip
dhcp snooping trust
You need to configure NTP for DHCP
snooping to work properly.
SW1(config-if)#
8w4d: %DHCP_SNOOPING-4-NTP_NOT_RUNNING: NTP is not
running; reloaded binding lease expiration times are incorrect.
CSRv#show
run | i ntp
ntp server 162.159.200.1
ntp
server 34.208.249.133
CSRv#show
clock
16:16:15.590 SGT Fri Nov 29 2019
SW1(config)#ntp
server 162.159.200.1
SW1(config)#do
show clock
.08:15:42.184 UTC Fri Nov 29 2019
SW1(config)#
SW1(config)#clock
timezone ?
WORD
name of time zone
SW1(config)#clock
timezone SGT ?
<-23 - 23> Hours offset from UTC
SW1(config)#clock
timezone SGT +8
SW1(config)#
8w4d: %SYS-6-CLOCKUPDATE: System clock has been
updated from 08:16:59 UTC Fri Nov 29 2019 to 16:16:59 SGT Fri Nov 29
2019, configured from console by vty0 (192.168.1.100).
SW1(config)#do
show clock
16:17:06.300 SGT Fri Nov 29 2019
Configure
DHCP snooping on VLAN 1. I just have a flat network in my lab.
SW1(config)#ip
dhcp snooping ?
database
DHCP snooping database agent
information
DHCP Snooping information
verify
DHCP snooping verify
vlan
DHCP Snooping vlan
<cr>
SW1(config)#ip
dhcp snooping vlan ?
WORD
DHCP Snooping vlan fist number or vlan range, example: 1,3-5,7,9-11
SW1(config)#ip
dhcp snooping vlan 1
Configure
DHCP snooping rate limit on SW1 interface F0/1 where Kali Linux (Attacker) is
connected.
SW1#show
run interface f0/1
Building
configuration...
Current
configuration : 128 bytes
!
interface
FastEthernet0/1
description ### NUC VM PC : 192.168.1.100 ###
switchport mode access
spanning-tree portfast
end
SW1(config)#interface
f0/1
SW1(config-if)#ip
dhcp snooping ?
limit
DHCP Snooping limit
trust
DHCP Snooping trust config
vlan
DHCP Snooping vlan
SW1(config-if)#ip
dhcp snooping limit ?
rate
DHCP Snooping limit
SW1(config-if)#ip
dhcp snooping limit rate ?
<1-2048> DHCP snooping rate limit
SW1(config-if)#ip
dhcp snooping limit rate 10
SW1(config-if)#do
terminal monitor
Launch
again Yersinia in interactive mode.
SW1
interface F0/1 went into err-disable due to exceeded DHCP packets received on F0/1 (rogue DHCP server).
SW1#
3d21h:
%DHCP_SNOOPING-4-DHCP_SNOOPING_ERRDISABLE_WARNING: DHCP Snooping received 10
DHCP packets on interface Fa0/1
3d21h: %PM-4-ERR_DISABLE: dhcp-rate-limit error
detected on Fa0/1, putting Fa0/1 in err-disable state
3d21h: %LINEPROTO-5-UPDOWN: Line protocol on
Interface FastEthernet0/1, changed state to down
3d21h: %LINK-3-UPDOWN: Interface FastEthernet0/1,
changed state to down
SW1#show
interface f0/1
FastEthernet0/1 is down, line protocol is down
(err-disabled)
Hardware is Fast Ethernet, address is
0023.5d47.4b82 (bia 0023.5d47.4b82)
Description: ### NUC VM PC : 192.168.1.100
###
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload
1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is
10/100BaseTX
input flow-control is off, output
flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:13:28, output 00:00:34, output
hang never
Last clearing of "show interface"
counters never
Input queue: 0/75/0/0
(size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0
packets/sec
3915877 packets input, 1095499125 bytes, 0
no buffer
Received 3688939 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun,
0 ignored
0 watchdog, 26326 multicast, 0 pause input
0 input packets with dribble condition
detected
498804 packets output, 253781045 bytes, 0
underruns
0 output errors, 0 collisions, 1 interface
resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE
output
0 output buffer failures, 0 output buffers
swapped out
Re-enable
the interface with a shutdown/no shutdown command.
SW1(config)#interface
f0/1
SW1(config-if)#shutdown
SW1(config-if)#no
shutdown
3d21h:
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively
down
SW1(config-if)#
3d21h:
%LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
3d21h:
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state
to up
You'll also
need to ensure the switch has enough memory to support DHCP snooping
SW1(config-if)#
%SYS-2-MALLOCFAIL: Memory allocation of 756 bytes
failed from 0x321D50, alignment 0
Pool: I/O
Free: 2280 Cause: Memory
fragmentation
Alternate Pool: None
Free: 0 Cause: No Alternate pool
-Process= "DHCP Snooping", ipl= 0, pid=
158
-Traceback= BB37CC F48B40 F4DAF8 321D54 3221D0
324EF8 321020 3213D8 8E7ADC BE6EA4 BE7360 975510 96CAE4
SW1(config-if)#
SW1(config-if)#no
ip dhcp snooping vlan 1
Disable/re-enable
Win7 LAN adapter to retrieve a new DHCP IP address (from ASA).
Notice
the new IP address 192.168.1.14 is from ASA (192.168.1.1) DHCP server pool.
Verify
DHCP snooping configuration using the show ip
dhcp snooping command.
SW1#show
ip dhcp ?
binding
DHCP address bindings
conflict
DHCP address conflicts
database
DHCP database agents
import
Show Imported Parameters
relay
Miscellaneous DHCP relay information
server
Miscellaneous DHCP server information
snooping
DHCP snooping
SW1#show
ip dhcp snooping
Switch
DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1
DHCP
snooping is configured on the following Interfaces:
Insertion
of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82
on untrusted port is not allowed
Verification
of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ -------
----------------
FastEthernet0/1 no 10
FastEthernet0/8 yes unlimited
To verify
dynamic DHCP binding in the DHCP snooping database, issue a show ip dhcp snooping binding command.
SW1#show
ip dhcp snooping ?
binding
DHCP snooping bindings
database
DHCP snooping database agent
|
Output modifiers
<cr>
SW1#show
ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type
VLAN Interface
------------------ --------------- ----------
------------- ---- --------------------
Total
number of bindings: 0
To verify
the status of the DHCP snooping database.
SW1#show
ip dhcp snooping database
Agent URL
: flash:/dhcp-snoop.db
Write
delay Timer : 300 seconds
Abort
Timer : 300 seconds
Agent
Running : No
Delay
Timer Expiry : Not Running
Abort
Timer Expiry : Not Running
Last
Succeded Time : 05:28:36 SGT Fri Mar 5 1993
Last
Failed Time : None
Last
Failed Reason : No failure recorded.
Total
Attempts : 1
Startup Failures : 0
Successful
Transfers : 1 Failed Transfers : 0
Successful
Reads : 1
Failed Reads : 0
Successful
Writes : 0
Failed Writes : 0
Media
Failures : 0
Task 2:
Configure ARP Inspection
There's
an error when installing arpspoof in
Kali Linux. Install dsniff instead.
root@kali:~# apt-get install arpspoof
Reading
package lists... Done
Building
dependency tree
Reading
state information... Done
E: Unable to locate package arpspoof
root@kali:~#
sudo apt install dsniff
Reading
package lists... Done
Building
dependency tree
Reading
state information... Done
The
following packages were automatically installed and are no longer required:
leafpad libisl19 liblirc-client0 liblouis17
libnfs12 libomp5-7 libproj13 miranda python-dns
python-dnslib python-jsonpickle
python-m2crypto python-pyqt5 python-twisted-web python-typing
sslcaudit sslstrip
Use 'sudo
apt autoremove' to remove them.
The
following additional packages will be installed:
libnids1.21
The
following NEW packages will be installed:
dsniff libnids1.21
0
upgraded, 2 newly installed, 0 to remove and 904 not upgraded.
Need to
get 130 kB of archives.
After
this operation, 496 kB of additional disk space will be used.
Do you
want to continue? [Y/n] y
Get:1 http://ftp.yzu.edu.tw/Linux/kali
kali-rolling/main amd64 libnids1.21 amd64 1.24-5 [27.0 kB]
Get:2 http://ftp.yzu.edu.tw/Linux/kali
kali-rolling/main amd64 dsniff amd64 2.4b1+debian-29 [103 kB]
Fetched
130 kB in 3s (38.7 kB/s)
Selecting
previously unselected package libnids1.21:amd64.
(Reading
database ... 359657 files and directories currently installed.)
Preparing
to unpack .../libnids1.21_1.24-5_amd64.deb ...
Unpacking
libnids1.21:amd64 (1.24-5) ...
Selecting
previously unselected package dsniff.
Preparing
to unpack .../dsniff_2.4b1+debian-29_amd64.deb ...
Unpacking
dsniff (2.4b1+debian-29) ...
Setting
up libnids1.21:amd64 (1.24-5) ...
Setting
up dsniff (2.4b1+debian-29) ...
Processing
triggers for libc-bin (2.29-1) ...
Processing
triggers for man-db (2.8.7-3) ...
Perform
an ARP poisoning to redirect traffic from Win7 to the Attacker (Kali Linux).
root@kali:~#
arpspoof -i eth0 -t 192.168.1.14 192.168.1.1
0:c:29:39:46:7e
0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e
0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e
0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
<SNIP>
Open
another terminal to perform ARP poisoning in the opposite direction: Cisco ASA (default gateway) to Win7.
root@kali:~#
arpspoof -i eth0 -t 192.168.1.1 192.168.1.14
0:c:29:39:46:7e
b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e
b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e
b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:39:46:7e
<SNIP>
Launch a
Wireshark in Kali Linux under Applications > 09 - Sniffing and Spoofing >
Wireshark.
Double-click eth0 to start the packet capture.
Telnet from Win7 to SW1 (192.168.1.3).
Click Stop (red square icon) > type a filer: ip.addr==192.168.1.3 > click go (blue arrow icon).
Select a TELNET packet > right-click > Follow > TCP Steam.
Notice the output for Telnet and enable password: cisco were displayed in clear text.
Configure
ARP inspection for VLAN 1 using the ip arp
inspection command.
SW1(config)#ip
arp ?
gratuitous
Gratuitous ARP control
inspection
Arp Inspection configuration
proxy
Global proxy ARP configuration
SW1(config)#ip
arp inspection ?
filter
Specify ARP acl to be applied
log-buffer
Log Buffer Configuration
validate
Validate addresses
vlan
Enable/Disable ARP Inspection on vlans
SW1(config)#ip
arp inspection vlan ?
WORD
vlan range, example: 1,3-5,7,9-11
SW1(config)#ip
arp inspection vlan 1
SW1(config)#
3d22h:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan
1.([000c.2939.467e/192.168.1.14/b0fa.eb97.72c9/192.168.1.1/15:31:45 SGT Tue Dec
3 2019])
3d22h:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan
1.([000c.2939.467e/192.168.1.14/b0fa.eb97.72c9/192.168.1.1/15:31:47 SGT Tue Dec
3 2019])
3d22h:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan
1.([000c.2939.467e/192.168.1.14/b0fa.eb97.72c9/192.168.1.1/15:31:49 SGT Tue Dec
3 2019])
3d22h:
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan
1.([000c.2939.467e/192.168.1.14/b0fa.eb97.72c9/192.168.1.1/15:31:51 SGT Tue Dec
3 2019])
Stop the
ARP spoofing in Kali Linux by pressing Ctrl+z.
0:c:29:39:46:7e
0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
0:c:29:39:46:7e
0:c:29:68:20:13 0806 42: arp reply 192.168.1.1 is-at 0:c:29:39:46:7e
^Z
[1]+ Stopped arpspoof -i eth0 -t
192.168.1.14 192.168.1.1
0:c:29:39:46:7e
b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:68:20:13
0:c:29:39:46:7e
b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:68:20:13
^C0:c:29:39:46:7e
b0:fa:eb:97:72:c9 0806 42: arp reply 192.168.1.14 is-at 0:c:29:68:20:13
^Z
[1]+ Stopped arpspoof -i eth0 -t
192.168.1.1 192.168.1.14
Verify
ARP inspection using the show ip arp inspection
command.
SW1#show
ip arp ?
Async Async interface
BVI Bridge-Group Virtual
Interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Filter Filter interface
Filtergroup Filter Group interface
GigabitEthernet GigabitEthernet IEEE 802.3z
H.H.H 48-bit hardware address of ARP
entry
Hostname or A.B.C.D IP address or hostname of ARP entry
Lex Lex interface
Loopback Loopback interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Portgroup Portgroup interface
Pos-channel POS Channel of interfaces
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan Catalyst Vlans
fcpa Fiber Channel
inspection Status of ARP Inspection
summary IP ARP table summary
| Output modifiers
<cr>
SW1#show
ip arp inspection
Source
Mac Validation : Disabled
Destination
Mac Validation : Disabled
IP
Address Validation : Disabled
Vlan
Configuration Operation ACL Match Static ACL
----
------------- --------- --------- ----------
1 Enabled Active
Vlan
ACL Logging DHCP Logging
----
----------- ------------
1
Deny Deny
Vlan
Forwarded Dropped DHCP Drops ACL Drops
----
--------- ------- ---------- ---------
1 0 114 114 0
Vlan
DHCP Permits ACL Permits Source MAC Failures
----
------------ ----------- -------------------
1 0 0 0
Vlan
Dest MAC Failures IP Validation
Failures Invalid Protocol Data
----
-----------------
----------------------
---------------------
Vlan
Dest MAC Failures IP Validation
Failures Invalid Protocol Data
----
-----------------
----------------------
---------------------
1 0 0 0
SW1#show
ip arp inspection statistics
Vlan
Forwarded Dropped DHCP Drops ACL Drops
----
--------- ------- ---------- ---------
1 0 161 161 0
Vlan
DHCP Permits ACL Permits Source MAC Failures
----
------------ ----------- -------------------
1 0 0 0
Vlan
Dest MAC Failures IP Validation
Failures Invalid Protocol Data
----
-----------------
----------------------
---------------------
1 0 0
SW1#show
ip arp inspection vlan 1
Source
Mac Validation : Disabled
Destination
Mac Validation : Disabled
IP
Address Validation : Disabled
Vlan
Configuration Operation ACL Match Static ACL
----
------------- --------- --------- ----------
1
Enabled Active
Vlan
ACL Logging DHCP Logging
----
----------- ------------
1
Deny Deny
No comments:
Post a Comment