Important change to IP Source Guard ARP Inspection

PeterUK
PeterUK Posts: 1,090  Guru Member
edited August 23 in Switch

Setup as out lined here

https://community.zyxel.com/en/discussion/11376/making-proxy-arp-more-secure#latest

Because I have proxy arp on the VPN300 and using the GS2210-24 to Send the packet to the egress port for ARP this bypasses the ARP Inspection check.

Would it be possible to do ARP Inspection before Send the packet to the egress port for ARP?

Thanks

«1

All Replies

  • Zyxel_Adam
    Zyxel_Adam Posts: 137  Zyxel Employee
    edited August 24
    Hi @PeterUK,

    May we know that what is the purpose and application of configuring Proxy ARP in a same subnet(192.168.255.48/28)?

    Proxy ARP usually configures on a router/gateway device between two different subnet.
    Adam
  • PeterUK
    PeterUK Posts: 1,090  Guru Member
    edited August 24

    Its a way to stop ARP spoofing the gateway with the switch doing packet to the egress port for ARP to the gateway but Proxy ARP allows connections between PC's on that subnet through the VPN300.

    When PC1 192.168.255.55 wants to send traffic to PC 192.168.255.53 ARP is not sent to PC2 by PC1 it goes to the VPN300 the Proxy ARP replies with its MAC and ARP to PC2 and traffic from PC1 sends to VPN300 then to PC2.

    But I still need ARP Inspection to be done by the switch to stop local ARP spoofing when proxy ARP say who has IP to stop any PC on the network saying at this MAC spoof.


  • PeterUK
    PeterUK Posts: 1,090  Guru Member
    edited August 24

    More testing with ARP and IP Source Guard ARP Inspection on the switch.

    So I might be over complicating the setup but it does have a need.

    I was thinking ARP spoofing for the gateway can done even with IP Source Guard ARP Inspection because the untrusted ports could ARP freely to a untrusted but with I quick test without proxy arp with Colasoft Packet Builder 2.0 to send a fake gateway MAC it failed.

    But the way I have setup with proxy arp is you can firewall PC1 and PC2 (or anything on the subnet) with VPN300 to each other as is goes by the VPN300 and not the switch and the only thing missing is ARP Inspection which gets bypasses by doing Send the packet to the egress port for ARP which if fixed by doing ARP Inspection first.


  • Zyxel_Adam
    Zyxel_Adam Posts: 137  Zyxel Employee
    edited August 25
    @PeterUK,

    Thanks for your sharing.
    However, since you are using ACL (classifier and policy rule) to make your client's ARP sending to egree port 17. The priority of ACL is higher than ARP inspection becasue ACL is functioning in switch hardware level.
    Adam
  • PeterUK
    PeterUK Posts: 1,090  Guru Member
    edited August 25
    @PeterUK,

    Thanks for your sharing.
    However, since you are using ACL (classifier and policy rule) to make your client's ARP sending to egree port 17. The priority of ACL is higher than ARP inspection becasue ACL is functioning in switch hardware level.

    Yes but surely you can do ARP inspection first to drop or allow then goes to ACL policy rule by a firmware change?


  • Zyxel_Adam
    Zyxel_Adam Posts: 137  Zyxel Employee
    edited August 27
    @PeterUK,

    There is another way may fulfill your scenario is that you could use port isolation on PC port (15,16,18) instead of using Classifer & Policy rule. In this way, switch does ARP inspection first then forwarding client's ARP packet to port 17.

    I've also tested that all PCs are able to ping each other with Proxy ARP enabled on VPN300.
    Adam
  • PeterUK
    PeterUK Posts: 1,090  Guru Member
    edited August 27
    You mean change VLAN Type to Port Based from 802.1Q? can't do that as I need the switch in 802.1Q that and I need broadcast traffic between PC's like NetBIOS.  

    Is their no way to place the ARP inspection first?
  • Zyxel_Adam
    Zyxel_Adam Posts: 137  Zyxel Employee
    edited August 27
    @PeterUK,

    You can also enable port isolation at Advenced Application > VLAN > VLAN configuration > VLAN Port Setup page.


    Notice that port with isolation enabled will be VLAN unawared. 
    Adam
  • Zyxel_Albert
    Zyxel_Albert Posts: 36  Zyxel Employee
    "ACL" always precedes "ARP inspection". "Port isolation" is an alternative to "ACL" which will block ARP packet between end devices but forward to VPN300. By doing so, you can enable "ARP inspection/IPSG" at the same time which protect your network against ARP spoofing.  
  • PeterUK
    PeterUK Posts: 1,090  Guru Member
    edited August 27

    That sadly don't allow broadcast traffic between PC's like NetBIOS unless you can make isolation work to allow broadcast traffic? It would mean the switch needs to know the subnets to allow between ports.

    or maybe just a ARP isolation option would work?

    I get you say "ACL" always precedes "ARP inspection" but surly the order can be changed in firmware?