DAI (Dynamic ARP Inspection)

DAI (Dynamic ARP Inspection) | NetworkLessons.
com
Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution
Protocol) which is vulnerable to an attack ike ARP poisoning.
DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP
packet with the DHCP snooping database and/or an ARP access-list. If the information in the
ARP packet doesn’t matter, it will be dropped. In this lesson I’ll show you how to con gure
DAI. Here’s the topology we will use:
Above we have four devices, the router on the left side called “host” will be a DHCP client, the
router on the right side is our DHCP server and on top we have a router that will be used as
an attacker. The switch in the middle will be con gured for dynamic ARP inspection.
Configuration

https://networklessons.com/switching/dai-dynamic-arp-inspection/
DAI (Dynamic ARP Inspection) | NetworkLessons.com
We’ll start with the switch, rst we need to make sure that all interfaces are in the same VLAN:
SW1(config)#interface range fa0/1 - 3

SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 123
SW1(config-if-range)#spanning-tree portfast
Now we can con gure DHCP snooping:
SW1(config)#ip dhcp snooping

SW1(config)#ip dhcp snooping vlan 123
SW1(config)#no ip dhcp snooping information option
The commands above will enable DHCP snooping globally, for VLAN 123 and disables the
insertion of option 82 in DHCP packets. Don’t forget to make the interface that connects to
the DHCP server trusted:
SW1(config)#interface FastEthernet 0/3

SW1(config-if)#ip dhcp snooping trust

The switch will now keep track of DHCP messages. Let’s con gure a DHCP server on the
router on the right side:
DHCP(config)#ip dhcp pool MY_POOL

DHCP(dhcp-config)#network 192.168.1.0 255.255.255.0
That’s all we need, let’s see if the host is able to get an IP address:
HOST(config)#interface FastEthernet 0/0

HOST(config-if)#ip address dhcp
A few seconds later we see this message:
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP

address 192.168.1.1, mask 255.255.255.0, hostname HOST
Let’s check if our switch has stored something in the DHCP snooping database:
SW1#show ip dhcp snooping binding

MacAddress IpAddress Lease(sec) Type
VLAN Interface
------------------ --------------- ---------- -------------
---- --------------------
00:1D:A1:8B:36:D0 192.168.1.1 86330 dhcp-snooping
123 FastEthernet0/1
Total number of bindings: 1
There it is, an entry with the MAC address and IP address of our host. Now we can continue
with the con guration of DAI. There’s only one command required to activate it:
SW1(config)#ip arp inspection vlan 123

The switch will now check all ARP packets on untrusted interfaces, all interfaces are untrusted
by default. Let’s see if this will work or not…I’ll con gure the IP address of our host on our
attacker:
ATTACK(config)#interface FastEthernet 0/0

ATTACK(config-if)#ip address 192.168.1.1 255.255.255.0
Now let’s see what happens when we try to send a ping from the attacker to our DHCP router:
ATTACK#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2
seconds:
.....
Success rate is 0 percent (0/5)
The ping is failing…what does our switch think of this?
SW1#
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan
123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254
/01:20:08 UTC Tue Mar 2 1993])
123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254
/01:20:10 UTC Tue Mar 2 1993])
123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254
/01:20:10 UTC Tue Mar 2 1993])
123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254
/01:20:10 UTC Tue Mar 2 1993])
Above you can see that all ARP requests from our attacker are dropped. The switch checks the
information found in the ARP request and compares it with the information in the DHCP
snooping database. Since it doesn’t match, these packets are discarded. You can nd the

number of dropped ARP packets with the following command:
SW1#show ip arp inspection
Source Mac Validation : Disabled

Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL

---- ------------- --------- --------- ----------
123 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging

---- ----------- ------------ -------------
123 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops

---- --------- ------- ---------- ---------
123 0 5 5 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC

Failures
---- ------------ ----------- -------------
-------------------
123 0 0
0 0
Vlan Dest MAC Failures IP Validation Failures Invalid

Protocol Data
---- ----------------- ----------------------
---------------------
Vlan Dest MAC Failures IP Validation Failures Invalid

Protocol Data
---- ----------------- ----------------------

---------------------
123 0
0 0
Above you see the number of drops increase. So far so good, our attacker has been stopped.
We still have one problem though, let me rst shut the interface on our attacker before we
continue:
ATTACK(config)#interface FastEthernet 0/0

ATTACK(config-if)#shutdown
Let me show you what happens when we try to send a ping from the host to our DHCP router:
HOST#ping 192.168.1.254
seconds:
.....
Success rate is 0 percent (0/5)
This ping is failing but why? We are not spoo ng anything…here’s what the switch tells us:
SW1#
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan
123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1
/01:24:48 UTC Tue Mar 2 1993])
123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1
/01:24:50 UTC Tue Mar 2 1993])
123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1
/01:24:52 UTC Tue Mar 2 1993])
123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1

/01:24:54 UTC Tue Mar 2 1993])

123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1
/01:24:56 UTC Tue Mar 2 1993])
Our switch is dropping ARP replies from the DHCP router to our host. Since the DHCP router
has no idea how to reach the host, the ping is failing:
HOST#show ip arp
Protocol Address Age (min) Hardware Addr Type
Interface
Internet 192.168.1.1 - 001d.a18b.36d0 ARPA
FastEthernet0/0
Internet 192.168.1.254 0 Incomplete ARPA
DHCP#show ip arp
Protocol Address Age (min) Hardware Addr Type
Interface
Internet 192.168.1.1 0 001d.a18b.36d0 ARPA
FastEthernet0/0
Internet 192.168.1.254 - 0016.c7be.0ec8 ARPA
FastEthernet0/0
Why is the switch dropping the ARP reply? The problem is that the DHCP router is using a
static IP addresses. DAI checks the DHCP snooping database for all packets that arrive on
untrusted interfaces, when it doesn’t nd a match…the ARP packet is dropped. To x this, we
need to create a static entry for our DHCP router:
SW1(config)#arp access-list DHCP_ROUTER

SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host
0016.c7be.0ec8
First we create an ARP access-list with a permit statement for the IP address and MAC address
of the DHCP router. Now we need to apply this to DAI: 
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123 ?

static Apply the ACL statically
We use the ip arp inspection lter command for this but you have to be careful…if you use
the “static” parameter then we tell the switch not to check the DHCP snooping database. It
will only check our ARP access-list and when it doesn’t nd an entry, the ARP packet will be
dropped. Make sure you add the lter without the static parameter:
SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123
There we go. The switch will now check the ARP access-list rst and when it doesn’t nd a
match, it will check the DHCP snooping database. Let’s try that ping again:
HOST#ping 192.168.1.254
seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
Excellent our ping is now working because of the static entry for the DHCP router. Another
way to deal with this issue is to con gure the interface as trusted. DAI will allow all ARP
packets on trusted interfaces:

SW1(config-if)#ip arp inspection trust
Anything else we can do with DAI? There are some additional security checks you can enable
if you want:
SW1(config)#ip arp inspection validate ?

dst-mac Validate destination MAC address
ip Validate IP addresses

src-mac Validate source MAC address
Here’s what these options mean:
dst-mac: checks the destination MAC address in the Ethernet header against the target
MAC address in the ARP packet. This check is performed for ARP replies. ARP replies with
di erent MAC addresses will be dropped.
ip: checks for invalid and unexpected IP addresses. For example 0.0.0.0, 255.255.255.255
and multicast addresses.
src-mac: checks the source MAC address in the Ethernet header against the sender’s MAC
address in the ARP packet. This check is performed for both ARP requests and replies. ARP
packets with di erent MAC addresses will be dropped.
You can only enable one of these options at the same time. Here’s an example how to enable
the dst-mac check:
SW1(config)#ip arp inspection validate dst-mac
Last but not least, we can also con gure ARP rate-limiting. By default there is a limit of 15 pps
for ARP tra c on untrusted interfaces. Here’s how you can change it:

SW1(config-if)#ip arp inspection limit rate 10
This interface now only allows 10 ARP packets per second.
Conclusion
That’s all we have for DAI (Dynamic ARP Inspection). It’s a nice security feature but make sure
that you have ARP access-lists in place for all devices with static IP addresses before you
enable this. You don’t want to block most of your tra c after enabling this.
Configurations
Want to take a look for yourself? Here you will nd the con guration of each device.

SW1
hostname SW1
!
ip dhcp snooping vlan 123
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 123
ip arp inspection validate src-mac
!
interface FastEthernet0/1
switchport access vlan 123
switchport mode access
ip arp inspection limit rate 10
spanning-tree portfast
!
!
ip arp inspection trust
ip dhcp snooping trust
!
arp access-list DHCP_ROUTER
permit ip host 192.168.1.254 mac host 0016.c7be.0ec8
!end
HOST
hostname HOST

!
ip address dhcp
duplex auto
speed auto
!end
ATTACK
hostname ATTACK
!
ip address 192.168.1.2 255.255.255.0
shutdown
duplex auto
speed auto
!
end
DHCP
hostname DHCP
!
ip dhcp pool MY_POOL
network 192.168.1.0 255.255.255.0
!
ip address 192.168.1.254 255.255.255.0
duplex auto
speed auto
!
end
I hope you enjoyed this lesson, if you have any questions feel free to leave a comment below.


DAI (Dynamic ARP Inspection)

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

DAI (Dynamic ARP Inspection)

Загружено:

Авторское право:

Доступные форматы

DAI (Dynamic ARP Inspection) | NetworkLessons.

SW1(config)#interface range fa0/1 - 3

Now we can con gure DHCP snooping:

SW1(config)#ip dhcp snooping

SW1(config)#interface FastEthernet 0/3

DHCP(config)#ip dhcp pool MY_POOL

HOST(config)#interface FastEthernet 0/0

A few seconds later we see this message:

%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP

SW1#show ip dhcp snooping binding

SW1(config)#ip arp inspection vlan 123

ATTACK(config)#interface FastEthernet 0/0

The ping is failing…what does our switch think of this?

number of dropped ARP packets with the following command:

SW1#show ip arp inspection

Source Mac Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL

Vlan ACL Logging DHCP Logging Probe Logging

Vlan Forwarded Dropped DHCP Drops ACL Drops

Vlan DHCP Permits ACL Permits Probe Permits Source MAC

Vlan Dest MAC Failures IP Validation Failures Invalid

Vlan Dest MAC Failures IP Validation Failures Invalid

ATTACK(config)#interface FastEthernet 0/0

/01:24:54 UTC Tue Mar 2 1993])

SW1(config)#arp access-list DHCP_ROUTER

SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123 ?

SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123

SW1(config)#interface FastEthernet 0/3

SW1(config)#ip arp inspection validate ?

src-mac Validate source MAC address

Here’s what these options mean:

SW1(config)#ip arp inspection validate dst-mac

SW1(config)#interface FastEthernet 0/1

This interface now only allows 10 ARP packets per second.

Вам также может понравиться