Dynamic ARP Inspection
ARP (Address Resolution Protocol) it’s a communication
protocol. Networking devices are used for discovering MAC (media access control)
addresses, associating with an IPv4 address (internet layer address), and mapping the
MAC addresses to IPv4 addresses, this mapping is done dynamically and stored in
the ARP cache. ARP works between layer 2 and layer 3 of the OSI because the MAC
address exists on the data link layer and the IP address exists on the network
layer. In other words, Address Resolution Protocol (ARP) is a Layer 2 protocol that maps an IP
address (Layer 3) to a MAC address (Layer 2).
DAI dynamic ARP inspection is a security feature that is
used to protect ARP from ARP poisoning attacks. DAI checks all ARP packets on an untrusted interface and by default all the interfaces are untrusted and these
untrusted interfaces undergo DAI validation. DAI compares the information in the
ARP packets received on an untrusted port with the DHCP snooping database and ARP access list. Once the information is matched it will forward but if not match, it
will discard ARP packets with invalid MAC addresses to IP address bindings. This is
how DAI prevent ARP Poisoning (man-in-the-middle) attack by intercepting all ARP request and
responses. DIA verified for valid MAC address to IP address binding before the packet
is forwarded to the destination.
An attacker may also send a large number of ARP messages and
harm our switch CPU utilization. In order to prevent this attack, we need to
limit the Dynamic ARP inspection message rate and interval. after implementing DAI some services may break, such as proxy ARP but there is a solution, configure some ports as trusted for DAI.
Let’s see the configuration to get a better understanding.
Topology: -
- configure the topology as per the diagram
- configure VLAN 100, name DAI
- assign all the active ports in VLAN 100
- configure Portfast on all the active access port
- configure the IP address on fa0/0 192.168.1.1/24
- configure DHCP server the IP 192.168.1.0/24
- configure DNS IP 192.168.1.80
- configure Eth 1/0 trusted for DHCP
- configure switch to prevent ARP poisoning attack on VLAN 100
- configure DHCP snooping on VLAN 100
- make sure PC ethernet 0/2 by pass DAI inspection and ping default gateway
- configure the ARP access list and bind the IP to MAC for untrusted active ports
- make sure all the untrusted ports undergo the inspection.
- configure ARP inspection interval and message rate 8 limit
configure VLAN 100, name DAI
switch1(config)#vlan 100
switch1(config-vlan)#name DAI
switch1(config-vlan)#exit
switch1(config)#end
switch1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et0/0, Et0/1, Et0/2, Et0/3
Et1/0, Et1/1, Et1/2, Et1/3
Et2/0, Et2/1, Et2/2, Et2/3
Et3/0, Et3/1, Et3/2, Et3/3
100 DAI active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
assign all the active ports in VLAN 100 and configure Portfast on all the active access port
switch1(config)#interface range ethernet 0/0-3
switch1(config-if-range)#switchport mode access
switch1(config-if-range)#switchport access vlan 100
switch1(config-if-range)#spanning-tree portfast
switch1(config-if-range)#exit
%Warning: portfast should only be enabled on ports connected to a single
host. Connecting hubs, concentrators, switches, bridges, etc... to this
interface when portfast is enabled, can cause temporary bridging loops.
Use with CAUTION
%Portfast will be configured in 4 interfaces due to the range command
but will only have effect when the interfaces are in a non-trunking mode.
switch1(config)#interface ethernet 1/0
switch1(config-if)#switchport access vlan 100
switch1(config-if)#exit
switch1(config)#end
switch1#show vlan brief
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et1/1, Et1/2, Et1/3, Et2/0
Et2/1, Et2/2, Et2/3, Et3/0
Et3/1, Et3/2, Et3/3
100 DAI active Et0/0, Et0/1, Et0/2, Et0/3
Et1/0
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
configure the IP address on the router (DHCP SERVER) fa0/0 192.168.1.1/24
R1(config)#interface fastEthernet 0/0
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#exit
configure DHCP server the IP 192.168.1.0/24 and configure DNS IP 192.168.1.80
R1(config)#hostname IP_DHCP_SERVER_
IP_DHCP_SERVER_(config)#ip dhcp pool DHCP_SERVER
IP_DHCP_SERVER_(dhcp-config)#network 192.168.1.0 255.255.255.0
IP_DHCP_SERVER_(dhcp-config)#default-router 192.168.1.1
IP_DHCP_SERVER_(dhcp-config)#dns-server 192.168.1.80
IP_DHCP_SERVER_(dhcp-config)#exit
IP_DHCP_SERVER_(config)#ip dhcp excluded-address 192.168.1.1
IP_DHCP_SERVER_(config)#ip dhcp excluded-address 192.168.1.80
IP_DHCP_SERVER_(config)#exit
configure Eth 1/0 trusted for DHCP and configure snooping
switch1(config)#ip dhcp snooping vlan 100
switch1(config)#ip dhcp snooping information option
switch1(config)#interface ethernet 1/0
switch1(config-if)#ip dhcp snooping trust
switch1(config-if)#exit
(From PC 1)
PC1> ip dhcp
DDORA IP 192.168.1.2/24 GW 192.168.1.1
PC1> show ip
NAME : PC1[1]
IP/MASK : 192.168.1.2/24
GATEWAY : 192.168.1.1
DNS : 192.168.1.80
DHCP SERVER : 192.168.1.1
DHCP LEASE : 86395, 86400/43200/75600
MAC : 00:50:79:66:68:02
LPORT : 10008
RHOST:PORT : 127.0.0.1:10009
MTU: : 1500
(From PC 2)
PC2> ip dhcp
DDORA IP 192.168.1.3/24 GW 192.168.1.1
PC2> show ip
NAME : PC2[1]
IP/MASK : 192.168.1.3/24
GATEWAY : 192.168.1.1
DNS : 192.168.1.80
DHCP SERVER : 192.168.1.1
DHCP LEASE : 86341, 86400/43200/75600
MAC : 00:50:79:66:68:01
LPORT : 10010
RHOST:PORT : 127.0.0.1:10011
MTU: : 1500
NAME : PC2[1]
IP/MASK : 192.168.1.3/24
GATEWAY : 192.168.1.1
DNS : 192.168.1.80
DHCP SERVER : 192.168.1.1
DHCP LEASE : 86341, 86400/43200/75600
MAC : 00:50:79:66:68:01
LPORT : 10010
RHOST:PORT : 127.0.0.1:10011
MTU: : 1500
(From PC 3)
PC3> ip dhcp
DDORA IP 192.168.1.4/24 GW 192.168.1.1
PC3> show ip
NAME : PC3[1]
IP/MASK : 192.168.1.4/24
GATEWAY : 192.168.1.1
DNS : 192.168.1.80
DHCP SERVER : 192.168.1.1
DHCP LEASE : 86368, 86400/43200/75600
MAC : 00:50:79:66:68:00
LPORT : 10012
RHOST:PORT : 127.0.0.1:10013
MTU: : 1500
PC4> ip dhcp
DDORA IP 192.168.1.5/24 GW 192.168.1.1
PC4> show ip
NAME : PC4[1]
IP/MASK : 192.168.1.5/24
GATEWAY : 192.168.1.1
DNS : 192.168.1.80
DHCP SERVER : 192.168.1.1
DHCP LEASE : 86397, 86400/43200/75600
MAC : 00:50:79:66:68:03
LPORT : 10007
RHOST:PORT : 127.0.0.1:10014
MTU: : 1500
(On Router)
IP_DHCP_SERVER_#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address Client-ID/ Lease expiration Type
Hardware address/
User name
192.168.1.2 0100.5079.6668.02 Oct 02 2023 03:55 PM Automatic
192.168.1.3 0100.5079.6668.01 Oct 02 2023 03:57 PM Automatic
192.168.1.4 0100.5079.6668.00 Oct 02 2023 03:57 PM Automatic
192.168.1.5 0100.5079.6668.03 Oct 02 2023 04:00 PM Automatic
IP_DHCP_SERVER_#show ip dhcp pool
Pool DHCP_SERVER :
Utilization mark (high/low) : 100 / 0
Subnet size (first/next) : 0 / 0
Total addresses : 254
Leased addresses : 4
Pending event : none
1 subnet is currently in the pool :
Current index IP address range Leased addresses
192.168.1.6 192.168.1.1 - 192.168.1.254 4
(Before configuring ARP inspection DAI)
PC1> ping 192.168.1.5
84 bytes from 192.168.1.5 icmp_seq=1 ttl=64 time=2.620 ms
84 bytes from 192.168.1.5 icmp_seq=2 ttl=64 time=1.628 ms
84 bytes from 192.168.1.5 icmp_seq=3 ttl=64 time=1.110 ms
84 bytes from 192.168.1.5 icmp_seq=4 ttl=64 time=2.384 ms
84 bytes from 192.168.1.5 icmp_seq=5 ttl=64 time=1.534 ms
PC2> ping 192.168.1.4
84 bytes from 192.168.1.4 icmp_seq=1 ttl=64 time=2.707 ms
84 bytes from 192.168.1.4 icmp_seq=2 ttl=64 time=2.670 ms
84 bytes from 192.168.1.4 icmp_seq=3 ttl=64 time=1.962 ms
84 bytes from 192.168.1.4 icmp_seq=4 ttl=64 time=1.380 ms
84 bytes from 192.168.1.4 icmp_seq=5 ttl=64 time=2.463 ms
PC3> ping 192.168.1.2
84 bytes from 192.168.1.2 icmp_seq=1 ttl=64 time=2.249 ms
84 bytes from 192.168.1.2 icmp_seq=2 ttl=64 time=1.912 ms
84 bytes from 192.168.1.2 icmp_seq=3 ttl=64 time=1.970 ms
84 bytes from 192.168.1.2 icmp_seq=4 ttl=64 time=1.298 ms
84 bytes from 192.168.1.2 icmp_seq=5 ttl=64 time=1.464 ms
PC4> ping 192.168.1.1
84 bytes from 192.168.1.1 icmp_seq=1 ttl=255 time=31.796 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=255 time=30.672 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=255 time=32.262 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=255 time=32.742 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=255 time=15.686 ms
(As you can see all the PCs are able to communicate with each other)
configure switch to prevent ARP poisoning attack on VLAN 100
switch1(config)#ip arp inspection vlan 100
PC1> ping 192.168.1.5
host (192.168.1.5) not reachable
PC1> ping 192.168.1.4
host (192.168.1.4) not reachable
*Oct 1 10:38:45.300: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.5/10:38:44 UTC Sun Oct 1 2023])
*Oct 1 10:38:46.305: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.5/10:38:45 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:38:47.309: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.5/10:38:46 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:38:53.394: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.4/10:38:52 UTC Sun Oct 1 2023])
*Oct 1 10:38:54.408: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.4/10:38:53 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:38:55.409: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.4/10:38:54 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:39:15.637: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.1/10:39:15 UTC Sun Oct 1 2023])
*Oct 1 10:39:16.641: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.1/10:39:16 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:39:17.664: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.1/10:39:17 UTC Sun Oct 1 2023])
*Oct 1 10:38:46.305: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.5/10:38:45 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:38:47.309: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.5/10:38:46 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:38:53.394: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.4/10:38:52 UTC Sun Oct 1 2023])
*Oct 1 10:38:54.408: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.4/10:38:53 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:38:55.409: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.4/10:38:54 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:39:15.637: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.1/10:39:15 UTC Sun Oct 1 2023])
*Oct 1 10:39:16.641: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.1/10:39:16 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:39:17.664: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.1/10:39:17 UTC Sun Oct 1 2023])
(you can see the result)
PC3> show ip
NAME : PC3[1]
IP/MASK : 192.168.1.4/24
GATEWAY : 192.168.1.1
DNS : 192.168.1.80
DHCP SERVER : 192.168.1.1
DHCP LEASE : 84429, 86400/43200/75600
MAC : 00:50:79:66:68:00
LPORT : 10012
RHOST:PORT : 127.0.0.1:10013
MTU: : 1500
PC3> ping 192.168.1.3
host (192.168.1.3) not reachable
PC3> ping 192.168.1.5
host (192.168.1.5) not reachable
PC3> ping 192.168.1.2
host (192.168.1.2) not reachable
(make sure PC ethernet 0/2 by pass DAI inspection and ping default gateway)
switch1(config)#interface ethernet 0/2
switch1(config-if)#ip arp inspection trust
switch1(config-if)#exit
PC3> ping 192.168.1.1
84 bytes from 192.168.1.1 icmp_seq=1 ttl=255 time=33.949 ms
84 bytes from 192.168.1.1 icmp_seq=2 ttl=255 time=31.255 ms
84 bytes from 192.168.1.1 icmp_seq=3 ttl=255 time=33.249 ms
84 bytes from 192.168.1.1 icmp_seq=4 ttl=255 time=16.617 ms
84 bytes from 192.168.1.1 icmp_seq=5 ttl=255 time=17.280 ms
switch1#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Et0/0 Untrusted 15 1
Et0/1 Untrusted 15 1
Et0/2 Trusted None N/A
Et0/3 Untrusted 15 1
(as you can see PC3 bypasses the DAI inspection because we configure the port trusted)
configure the ARP access list bind the IP to MAC for untrusted active ports and make sure all the untrusted ports undergo the inspection.
switch1(config)#arp access-list ARP-ACL-VLAN100
switch1(config-arp-nacl)#permit ip host 192.168.1.2 mac host 00:50:79:66:68:02 log
switch1(config-arp-nacl)#permit ip host 192.168.1.3 mac host 00:50:79:66:68:01 log
switch1(config-arp-nacl)#permit ip host 192.168.1.5 mac host 00:50:79:66:68:03 log
switch1(config-arp-nacl)#exit
switch1#show arp access-list ARP-ACL-VLAN100
ARP access list ARP-ACL-VLAN100
permit ip host 192.168.1.2 mac host 0050.7966.6802 log
permit ip host 192.168.1.3 mac host 0050.7966.6801 log
permit ip host 192.168.1.5 mac host 0050.7966.6803 log
switch1(config)#ip arp inspection vlan 100
switch1(config)#ip arp inspection filter ARP-ACL-VLAN100 vlan 100
switch1(config)#end
switch1#show ip arp inspection vlan 100
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
100 Enabled Active ARP-ACL-VLAN100 No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
100 Deny Deny Off
switch1#show ip arp inspection statistics
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
100 50 69 69 0
switch1#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Et0/0 Untrusted 15 1
Et0/1 Untrusted 15 1
Et0/2 Trusted None N/A
Et0/3 Untrusted 15 1
Et1/0 Trusted None N/A
Et1/1 Untrusted 15 1
Et1/2 Untrusted 15 1
Et1/3 Untrusted 15 1
Et2/0 Untrusted 15 1
Et2/1 Untrusted 15 1
Et2/2 Untrusted 15 1
Et2/3 Untrusted 15 1
Et3/0 Untrusted 15 1
Et3/1 Untrusted 15 1
Et3/2 Untrusted 15 1
Et3/3 Untrusted 15 1
(now let ping from PC 1 to all PCs)
PC1> ping 192.168.1.3
84 bytes from 192.168.1.3 icmp_seq=1 ttl=64 time=3.416 ms
84 bytes from 192.168.1.3 icmp_seq=2 ttl=64 time=2.876 ms
84 bytes from 192.168.1.3 icmp_seq=3 ttl=64 time=3.075 ms
84 bytes from 192.168.1.3 icmp_seq=4 ttl=64 time=2.928 ms
84 bytes from 192.168.1.3 icmp_seq=5 ttl=64 time=3.170 ms
PC1> ping 192.168.1.4
84 bytes from 192.168.1.4 icmp_seq=1 ttl=64 time=4.271 ms
84 bytes from 192.168.1.4 icmp_seq=2 ttl=64 time=2.606 ms
84 bytes from 192.168.1.4 icmp_seq=3 ttl=64 time=3.097 ms
84 bytes from 192.168.1.4 icmp_seq=4 ttl=64 time=3.117 ms
84 bytes from 192.168.1.4 icmp_seq=5 ttl=64 time=3.303 ms
PC1> ping 192.168.1.5
84 bytes from 192.168.1.5 icmp_seq=1 ttl=64 time=2.388 ms
84 bytes from 192.168.1.5 icmp_seq=2 ttl=64 time=3.150 ms
84 bytes from 192.168.1.5 icmp_seq=3 ttl=64 time=2.495 ms
84 bytes from 192.168.1.5 icmp_seq=4 ttl=64 time=2.874 ms
84 bytes from 192.168.1.5 icmp_seq=5 ttl=64 time=2.822 ms
(as you can see after the DAI inspection switch allow the packets)
switch1(config)#interface ethernet 0/2
switch1(config-if)#ip arp inspection limit rate 8 burst interval 4
switch1(config-if)#exit
switch1#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Et0/0 Untrusted 15 1
Et0/1 Untrusted 15 1
Et0/2 Trusted 8 4
Et0/3 Untrusted 15 1
Et1/0 Trusted None N/A
Et1/1 Untrusted 15 1
Et1/2 Untrusted 15 1
Et1/3 Untrusted 15 1
Et2/0 Untrusted 15 1
Et2/1 Untrusted 15 1
Et2/2 Untrusted 15 1
Et2/3 Untrusted 15 1
Et3/0 Untrusted 15 1
Et3/1 Untrusted 15 1
Et3/2 Untrusted 15 1
Et3/3 Untrusted 15 1
No comments:
Post a Comment