Dynamic ARP Inspection (DAI) – Fundamentals, configuration, ARP ACL config, Verification, and lots of details!

The above Topology perfect (sort of) why Dynamic ARP Inspection exists!

Dynamic ARP Inspection exists to protect against the possibility of what can happen in the above Topology if Host B (Man in the Middle) gets a copy of an ARP request for a Data Server on the network, then sets its own IP Address as the Data Server and send an ARP Response to Host A claiming to be the Server.

The man in the middle can also act as a relay, so it collects the traffic meant for the Data Server first, then forwards the traffic to the Data Server which will then respond to the original IP Address of Host A – So bad went to worse because now its transparent!

How does Dynamic ARP Inspection work?

This works with the DHCP Snooping “Binding” table, as it will verify ARP Requests and Replies against the entries in that table, and if no match is found the ARP traffic is dropped and a message is logged indicating so.

Not everything will be in the DHCP Snooping Binding table, like static IP Addresses.

For this, we can either create a Static ARP ACL to check against rather than the table, or we can use the DAI concept of Trusted / Untrusted ports, which working exactly like DHCP Snooping traffic exceptions:

Untrusted Ports ARP Traffic can only exit Trusted Ports
Trusted Ports ARP Traffic can exit Untrusted Ports

Configuration of Dynamic ARP Inspection

This actually does not require to be turned on globally first like DHCP Snooping, it just needs configuration for a VLAN right out of the gate, so lets get VLAN 10:

SW1(config)#ip arp ?
gratuitous Gratuitous ARP control
inspection Arp Inspection configuration
poll IP ARP polling for unnumbered interfaces
proxy Global proxy ARP configuration
track ARP Track configuration

SW1(config)#ip arp inspection ?
filter Specify ARP acl to be applied
log-buffer Log Buffer Configuration
smartlog Smartlog all the logged pkts
validate Validate addresses
vlan Enable/Disable ARP Inspection on vlans

SW1(config)#ip arp inspection vlan ?
WORD vlan range, example: 1,3-5,7,9-11

SW1(config)#ip arp inspection vlan 10 ?
logging Configure type of packets to be logged
<cr>

SW1(config)#ip arp inspection vlan 10
SW1(config)#

This will now place all interfaces in VLAN 10 in an Untrusted status, so they can send ARP requests to Trusted ports, and that is about it. You will want Trusted interfaces to be pointing at Static IP Addresses (in this case 10.0.10.5 our Data Server).

Configuring a Trusted interface for DAI:

SW1(config)#int fa1/0/6
SW1(config-if)#ip arp ?
inspection Arp Inspection configuration

SW1(config-if)#ip arp inspection ?
limit Configure Rate limit of incoming ARP packets
trust Configure Trust state

SW1(config-if)#ip arp inspection trust ?
<cr>

SW1(config-if)#ip arp inspection trust

Basically the same process as the DHCP Snooping interface configuration, and we also see the “limit” command highlighted in green that should REALLY be set low for on Host interfaces, as ARP requests “Flooding” nature can really hit a VLANs BW / Switch CPU if a Rogue Host begins flooding these packets to the Switch!

The default is 15 PPS for DAI!

Trusted Interfaces are not limited by rates unless manually configured with a limit!

So why on Earth would I ever configure an ARP ACL for Static IP Addresses?

If you have multiple Access Layer switches connecting to an Upstream Gateway, using Trusted Ports can allow Hosts from SW2 to Spoof the Router Address or perform “ARP Poisoning” to Hosts on SW1 – This is because that ingress interface is Trusted!

You would create an “arp access-list …” in this scenario:

SW1(config)#arp access-list StaticARP
SW1(config-arp-nacl)#permit ip ?
A.B.C.D Sender IP address
any Any Sender IP address
host Single Sender host

SW1(config-arp-nacl)#permit ip host ?
A.B.C.D Sender Host IP address

SW1(config-arp-nacl)#permit ip host 10.0.10.254 ?
mac Sender MAC address

SW1(config-arp-nacl)#permit ip host 10.0.10.254 mac ?
H.H.H Sender MAC address
any Any MAC address
host Single Sender host

SW1(config-arp-nacl)#permit ip host 10.0.10.254 mac host ?
H.H.H Sender MAC address

SW1(config-arp-nacl)#permit ip host 10.0.10.254 mac host dddd.dddd.dddd ?
log Log on match
<cr>

SW1(config-arp-nacl)#permit ip host 10.0.10.254 mac host dddd.dddd.dddd
SW1(config-arp-nacl)#

A few things to note here:

To begin this ACL, it is “arp access-list (name)”
Every line I used IOS help refers to “Sender” info, not Src / Dst
There is no <cr> until we have defined an IP and MAC Address

This is not a standard src/dst IP Access-List, this is expressly permitting ARP traffic from any senders defined on the “ARP Access-List” even if they’re not present in the DHCP Snooping Binding table for verification!

To apply this ACL (All ACL’s must be applied to work!) :

SW1(config)#ip arp inspection filter ?
WORD ARP acl name

SW1(config)#ip arp inspection filter StaticARP ?
vlan Vlans to apply the filter

SW1(config)#ip arp inspection filter StaticARP vlan ?
WORD vlan range, example: 1,3-5,7,9-11

SW1(config)#ip arp inspection filter StaticARP vlan 10 ?
static Apply the ACL statically
<cr>

SW1(config)#ip arp inspection filter StaticARP vlan 10
SW1(config)#

The static command at this end of this can completely change the operation of how DAI works, so I highlighted it in green to bring attention to where its located in the command.

The way this was filter was applied (without the Static command), traffic from Untrusted ports will first be checked against the ARP ACL we created, and then against the DHCP Snooping Binding table for possible matches.

If I were to add the “static” sub-command to the filter, incoming ARP traffic would ONLY be checked against the ARP ACL, and would skip the DHCP Snooping table lookup / verify.

So it’s a powerful command, and should definitely know what it does for exam day!

Important explanation of what information on a frame is being Inspected by DAI

The criteria to be considered a “Valid Sender” when DAI is enabled, the following criteria must be verified as “valid” on ARP Frames:

Sender MAC Address (Not Source MAC)
Sender VLAN #
Sender IP Address

These “Sender” values are checked against the DHCP Binding table (or ARP ACL) to validate the Frame is Trusted, if no match is found the Frame is dropped.

To configure additional inspection criteria on the ARP Frame (Src/Dst/IP) info:

SW1(config)#ip arp inspection validate ?
dst-mac Validate destination MAC address
ip Validate IP addresses
src-mac Validate source MAC address

It will add overhead for the extra inspection, but will further secure the DAI process.

Verification commands for Dynamic ARP Inspection!

This config table is just too large and messy to reformat, and I have no good information from this lab in it, but just for the sake of showing what it looks like:

“sh ip arp inpsection” is the command, this output shows at the top we did not include any extra inspection commands with “ip arp inspection validate …” command, and that the only VLAN we are doing inspection for is VLAN 10.

It does have a lot of fields with good info such as logging, dropped packets, ACL info and etc however I haven’t really generated that data output in this lab session.

For an Interface Specific Verification command:

SW1#sh ip arp inspection int fa1/0/1

Interface Trust State    Rate (pps)     Burst Interval
—————    ———–             ———- ————–
Fa1/0/1 Untrusted              15                     1
SW1#

While we are comparing tables and such, here is the DHCP Snooping Binding Table:

SW1#sh ip dhcp snooping binding
MacAddress IpAddress          Lease(sec)       Type               VLAN Interface
—————— —————    ———-      ————-     —-        ——————–
00:1E:F7:97:F1:4B    10.0.10.101          603320    dhcp-snooping    10    FastEthernet1/0/1
Total number of bindings: 1

SW1#

Just a quick reminder of the info Dynamic ARP is verifiying against!

That is it for this one, unless I find more info along the way to add, this is Dynamic ARP 🙂

Share this:

Like this:

Leave a Reply Cancel reply