Tag Archives: networking

Dynamic ARP Protection in an HP Procurve Network

ARP Poisoning is a problem on Ethernet based networks.

If you have HP Procurve switches and a DHCP enabled network, you have the option of enabling ARP Protection.

In order for ARP Protection to work, DHCP Snooping also has to be enabled. This is because the switch builds a table of MAC to IP pairs based on the address that the DHCP server allocates to clients. Once the switch has this table, it knows which MAC addresses should be allowed to communicate using certain IP addresses.

Configuring ARP Protection is simple, just trust your uplink ports and protect a VLAN. Protection can also be enabled on a port-by-port basis.

First enable DHCP snooping if it already hasn’t been enabled.

switch# config t

Enable it globally

switch(config)# dchp-snooping

Trust inter-switch links

switch(config)# interface 51

switch(eth-51)# dhcp-snooping trust

switch(eth-51)# exit

switch(config)# interface 52

switch(eth-52)# dhcp-snooping trust

switch(eth-52)# exit

Then protect the specific VLAN that needs to be protected.

switch(config)# dchp-snooping vlan 2222

Once DHCP-snooping has been configured, arp protection can be enabled.

Enable it globally

switch(config)# arp-protect

Trust inter-switch links

switch(config)# arp-protect trust 51-52

Then protect the specific VLAN that needs to be protected.

switch(config)# arp-protect vlan 2222.

This is a very basic overview of dynamic ARP protection. Here are some diagrams to help explain what arp poisoning is, and what arp protection does to protect against it. arp poisoning

arp protection

Use MRTG to graph traffic

So there you are, sitting there watching TV and looking at the blinking lights on your router.

Suddenly you think, “Man, if only there were a way I could record how many octets have flown across each managed interface. Then I could record those same numbers at a later time to determine the average traffic rate during that time-span.”

Luckily there is a simple tool called MRTG or Multi Router Traffic Grapher that will do just that.

First, you have to prepare the device(s) you want to monitor.

Whatever the device is, it needs to have SNMP capability. If it doesn’t, stop here because the rest of this tutorial will produce less than desirable results.

Set the SNMP read-only community string to something complicated. You can always copy and paste. Make sure SNMP is enabled and you should be good to go.

Now install MRTG.

Lets pretend you are on a Debian-based system and can install it from a repository.

sudo apt-get install mrtg

Now, you need to make sure the /etc/mrtg.conf file is owned by the user that will run the cronjob.

sudo chown user-name /etc/mrtg.conf

The config file itself can be quite cumbersome to edit by hand.

Good thing you wont have to. A special tool called cfgmaker is included to make the process easier.

Open up a blank text document that you can prepare this command in and save it for later modification.

Paste this in there:

cfgmaker –global ‘WorkDir: /var/www/mrtg’  \
–global ‘Options[_]: bits’ \
–show-op-down \
–no-down \
–noreversedns \
–zero-speed=100000000 \
–subdirs=HOSTNAME \
–output ‘/etc/mrtg.cfg’ \
–community=somecomplexcommunitystring \
192.168.xxx.1 \
192.168.xxx.2 \
192.168.xxx.3 \
192.168.xxx.4 \

(Each option is explained at the end of this post.)

Modify the last lines with IP addresses of devices that you want to pull information from.

Then copy all of it and paste it into a terminal. Save the text file for later in case you want to add a device and need to generate a new configuration. Each time it runs, it overwrites the previous file. If you need to remove a device, just pull it from the list and rerun the commands.

The commands should run successfully without and error. If there is an error, it is generally because it cannot communicate with your device using SNMP.

A quick way to verify that SNMP is giving information is with the following command. [SNMP must be installed (sudo apt-get install snmp)].

snmpwalk -v 2c -c communitystring xxx.xxx.xxx.xxx(device IP)

This should start spitting out a bunch of information. If it doesn’t, you either can’t communicate with your device, or SNMP isn’t enabled on it.

If everything ran without error, you should have an /etc/mrtg.conf file that’s ready to go. Make sure the same user that is going to run the program has rights to the /var/www/mrtg  as well. This is where all of the html pages and images will be created.

sudo mkdir /var/www/mrtg

sudo chown user-name /var/www/mrtg

Everything should be ready to go. Now you can add an entry to the user’s crontab for MRTG to run every 5 minutes.

crontab -e -u user-name

Choose an editor if you have to. Nano is easiest. Paste the following line in. Then save and quit.

*/5 * * * * env LANG=C /usr/bin/mrtg

After 5 minutes, you should start to see files in /var/www/mrtg.

If you don’t see anything, there is probably a permission error. Run the command manually to see what errors come back and adjust the permissions on the problem directories.

env LANG=C /usr/bin/mrtg

Once, you see html and png files, you are ready to rock. It will take at least two runs for statistics since it it measuring the difference in octet counters.

These files are obviously best viewed with a browser. They are just basic html files so a web server doesn’t need much configuration to serve them. Just set the home directory to /var/www/mrtg and make yourself a nice little index.html page that links to the interesting interfaces.

The WorkDir option tells it where the html and image files will be created.

The –global ‘Options[_]: bits’ option uses bits instead of bytes. All link-speeds are measured in bits, and file-sizes are generally measured in bytes.

The –show-op-down option tells it to include interfaces that are operationally down. That way, if an interface comes online, cfgmaker doesn’t need to be executed again.
The –no-down option covers more than operationally down. All interfaces will be graphed regardless of their status.
The –noreversedns option tells it not to bother with attempting a reverse look-up of the IP addresses of your network equipment.
The –zero-speed=100000000 option tells it to assume the speed is 100mbit/s if the device returns a rate of 0.
The –subdirs=HOSTNAME option determines how the html and image files will be organized. Each device will have it’s own folder based on it’s hostname or IP address if no hostname is given.
The –output ‘/etc/mrtg.cfg’ option tells it where to save the mrtg config file. This is the default location mrtg checks when it is ran.
The –community=somecomplexcommunitystring option tells it what SNMP community string to use when attempting to contact the device.

All of the options are available here. http://oss.oetiker.ch/mrtg/doc/cfgmaker.en.html

Here are a couple example shots. They are both from a relatively fresh install. One is from an access point running dd-wrt and one is from a firewall running pfSense.