Tag Archives: DHCP

Dynamic ARP Protection in an HP Procurve Network

ARP Poisoning is a problem on Ethernet based networks.

If you have HP Procurve switches and a DHCP enabled network, you have the option of enabling ARP Protection.

In order for ARP Protection to work, DHCP Snooping also has to be enabled. This is because the switch builds a table of MAC to IP pairs based on the address that the DHCP server allocates to clients. Once the switch has this table, it knows which MAC addresses should be allowed to communicate using certain IP addresses.

Configuring ARP Protection is simple, just trust your uplink ports and protect a VLAN. Protection can also be enabled on a port-by-port basis.

First enable DHCP snooping if it already hasn’t been enabled.

switch# config t

Enable it globally

switch(config)# dchp-snooping

Trust inter-switch links

switch(config)# interface 51

switch(eth-51)# dhcp-snooping trust

switch(eth-51)# exit

switch(config)# interface 52

switch(eth-52)# dhcp-snooping trust

switch(eth-52)# exit

Then protect the specific VLAN that needs to be protected.

switch(config)# dchp-snooping vlan 2222

Once DHCP-snooping has been configured, arp protection can be enabled.

Enable it globally

switch(config)# arp-protect

Trust inter-switch links

switch(config)# arp-protect trust 51-52

Then protect the specific VLAN that needs to be protected.

switch(config)# arp-protect vlan 2222.

This is a very basic overview of dynamic ARP protection. Here are some diagrams to help explain what arp poisoning is, and what arp protection does to protect against it. arp poisoning

arp protection

Script for a DHCP address renewal

Normally my Internet connection is pretty good; but, once every couple of months, the provider changes something and my current IP address no longer works. The lease doesn’t actually expire, which is set to last 48 hours. So, I lose internet connectivity until a new renewal. It’s easy to do this by hand, but that doesn’t work when I’m not at home.

This is a script that checks to see if I’m connected to the Internet, and if it fails three times in a row, it connects to the router (pfSense in this case) and performs a DHCP release and renew.

#change to some writeable directory
cd /home/user

#check various sites
curl http://www.msn.com > internetchecksites
curl http://www.yahoo.com >> internetchecksites
curl http://www.google.com >> internetchecksites
curl http://www.cnn.com >> internetchecksites
curl http://www.cisco.com >> internetchecksites
curl http://www.hp.com >> internetchecksites

#count the number of lines received over http
#should be tons of crap from one of these alone
sizeofsites=`cat internetchecksites | wc -l`

#check to see if there are less than ten lines of HTML
if [ $sizeofsites -lt 10 ]; then
#mark a failure to the failure file
echo “strike” >> failedchecks

#reset the failure count
rm failedchecks
touch failedchecks

#if check has failed 3 times run the dhcp renewal process
if [ `cat failedchecks | wc -l` -ge 3 ]; then
curl -su admin:somepassword http://192.168.x.x/status_interfaces.php -d interface=”wan” -d submit=”Release” >> pf
curl -su admin:somepassword http://192.168.x.x/status_interfaces.php -d interface=”wan” -d submit=”Renew” >> pf
rm pf


Now just stick this script in your crontab for every 5 minutes or so.

~$ crontab -e

Add this line

*/5 * * * * /home/user/checkinternetscript.sh

The */5 is for every five minutes.

Make sure the script is executable with a nice chmod +x

The hardest part is determining what commands need to be sent to the HTTP interface on your router for a renewal.

This can be done by viewing the source code on the web page. It can also be done using a packet capture as well.

Make sure other users aren’t adding to your failedchecks file or they can cause a DHCP release/renew.