Network Switch - Configure Anti-ARP Scan [to prevent IP scanning]

In this example, we will use Anti-ARP Scan to prevent attackers from identifying all network devices in the local area network. ARP Scanning is a method by which attackers send multiple ARP request packets in a very short period of time to flood across the entire broadcast domain.

 image342.jpg

IP Scanning from Wired and Wireless Devices

 1.JPG

 

1. Configuration steps

2. Test the result

3. What could go wrong?

 

1. Configuration steps

  • Access the switch’s web GUI.
  • Go to Advance Application > Anti-Arpscan > Configure.
    Check the Active box and configure the uplink port (port 24) as “Trusted”. Click Apply.

 image343.png

 image345.png

 

-Optional-

  • Go to Advance Application > Errdisable > Errdisable Recovery.
    Check the Active box and activate anti-arpscan. Click Apply.

 image347.png

 

 

2. Test the Result

  • Download and install an IP Scanning software into Host-A and Host-C.
  • Connect Host-A and Host-B via the Wireless Access

 image349.png

 

  • Host-A should initiate a scan for IP address 192.168.1.1 to 192.168.1.20.
  • Host-A should no longer be able to reach the USG

 image351.png

 

  • Access the Switch’s Web GUI. Go to Advance Application > Anti-Arpscan > Host Status. An entry for Host-A should appear with an “Err-Disable”

image353.png

2.JPG

 

  • Host-B should still be able to reach the USG
  • Connect Host-C to the USG
  • Host-C should perform a quick scan for IP address 168.1.1 to 192.168.1.100.

 image355.png

 

  • Host-C should no longer be able to reach the

 4.JPG

 

  • Access the Switch’s Web GUI. Go to Advance Application > Anti-Arpscan. Port 2 should now be in an Err-disabled

image357.png

3.JPG

 

3. What could go wrong?

If access to servers or the local gateway is no longer possible after enabling Anti-Arpscan, make sure that only ports directly connected to hosts or Wireless Access Points are “untrusted”.
Ports to servers and the local gateway should be “trusted”.

If all hosts connected through a Wireless Access Point can no longer reach the local gateway, check whether the port to the Wireless Access Point has changed to the err-disable state in Advance Application > Anti-Arpscan.

If so, consider increasing the Port Threshold in Advance Application > Anti-Arpscan > Configure.

 image360.png

 

Articles in this section

Was this article helpful?
2 out of 2 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.