Securing Switch Access

Part-2:
Dynamic ARP Inspection
www.ine.com
 Dynamic ARP Inspection
What problem does it solve?
Web Server
ARP
Unsolicited ARP Request
Response
Response for(1.1.1.3
(1.1.1.3 1.1.1.3
= = MAC
MAC BB) CC)
A Traffic Flow
Port-3
Port-1

1.1.1.1 Port-2
MAC = AA
1.1.1.3
CC
1.1.1.3 = MAC BB MAC = CC

1.1.1.2 Packet
MAC = BB Generator
Now Ill forward
Ill change my IPyour
to
captured traffic
1.1.1.3 and spoof thatso you
never even know I was
server!
Malicious/Evil Person! watching!!

Copyright www.ine.com
 Dynamic ARP Inspection
DAI verifies ARP requests-and-replies by inspecting
them against entries in the DHCP Snooping Binding
Database.
No match? Drop the ARP and log message!

Can also match against static ARP ACL entries for

devices with static IP addresses.

Copyright www.ine.com
 DAI Terminology
DAI Trusted
Port
DAI Untrusted
Ports
A VLAN-X VLAN-X Static IP
Port-1 Port-3

VLAN-X Port-2

DHCP Snooping Binding Database

Client MAC = 00.02.aa.bb.cc.dd / Port 0/1
Client IP = 1.1.1.1 /24 (dynamic)
Lease Time = 24-hours

Malicious/Evil Person!

Copyright www.ine.com
 DAI - Configuration
Only two commands needed!
Switch(config)# ip arp inspection vlan <vlan-id>
Switch(config-if)# ip arp inspection trust

Copyright www.ine.com
 DAI Configuration of Static Entries
Creating a Static ARP ACL:
Switch(config)# arp access-list <name>
Switch(config-acl)# permit ip host <ip-addr> mac host
<mac-addr>
Applying Static ARP ACL
Switch(config)# ip arp inspection filter <arp-acl-name>
vlan <vlan-id> [static]

Copyright www.ine.com
 DAI What gets checked?
ARP Frame Format
H/W Type Protocol
Dest MAC Src MAC Type H/W Protocol Op Sender Sender Target Target
(0x01) Type
Addr Addr (0x0806) Size Size Code MAC IP Addr MAC IP Addr
Ethernet (0x0800)

When DAI is enabled, an ARP is considered

valid if Sender <MAC, IP, VLAN> triplet is valid
Additional Option:
Switch(config)# ip arp inspection validate {[src-mac] [dst-mac] [ip]}

Copyright www.ine.com
 DAI Rate Limiting
Excessive ARP Requests can be another form
of DOS.
DAI default = Limit ARPs to 15pps.
(config-if)# ip arp inspection limit rate <0-2048>

Trusted interfaces are not rate-limited

(inbound).
Copyright www.ine.com
 Verifying Dynamic ARP Inspection

Copyright www.ine.com
 Verifying Dynamic ARP Inspection

Copyright www.ine.com