Dynamic ARP Inspection
ARP is used to resolve IP addresses to MAC addresses. Routers and switches maintain ARP tables to show IP-to-MAC address mappings. ARP spoofing attacks are used to disguise a source MAC address via the impersonation of another host on the network. It is important to understand that an ARP spoofing attack is not the same thing as a MAC spoofing attack. In an ARP spoofing attack, the switch is misguided by poisoning the ARP cache. You will learn more in our Cisco CCNA certification course.
In MAC spoofing, the switch is tricked into believing that the same MAC address is connected to two different ports, which effectively poisons the MAC address table. ARP spoofing occurs during the ARP request and reply message exchange between two or more hosts. It is during this exchange of messages that attackers can inject a fake reply message with their own MAC address masquerading as one of the legitimate hosts, as illustrated below in Figure 1:
Fig. 1. Understanding ARP Spoofing Attacks
In Figure 1, three hosts reside on a shared LAN segment. There are two legitimate hosts, Host 1 and Host 2, and there is also a machine that has been compromised and is now being operated by the attacker. When Host 1 wants to send data to Host 2, it sends out an ARP broadcast to resolve the IP address of Host 2 to a MAC address. This process is illustrated in step number 1.
Before Host 2 can respond to the ARP request from Host 1, the attacker crafts a packet and responds to Host 1, providing Host 1 with the attacker’s MAC address instead. The ARP table on Host 1 is updated and incorrectly reflects an IP-to-MAC address mapping of 10.1.1.2 with the MAC address 1a2b.3333.cdef. Host 1 sends all traffic that should be destined to Host 2 to the attacker’s machine instead. The recommended solution to prevent such attacks in Cisco Catalyst switches is to implement Dynamic ARP Inspection (DAI).
Dynamic ARP Inspection Overview
Dynamic ARP Inspection is a Catalyst switch security feature that validates ARP packets in a network. DAI determines the validity of packets by performing an IP-to-MAC address binding inspection. Once this validity has been confirmed, packets are then forwarded to their destination; however, DAI will drop all packets with invalid IP-to-MAC address bindings that fail the inspection validation process. DAI ensures that only valid ARP requests and responses are relayed. When DAI is enabled, the switch performs the following three activities:
- Intercepts all ARP requests and responses on untrusted ports. However, it is important to keep in mind that it inspects only inbound packets; it does not inspect outbound packets;
- Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to its destination; and
- Drops invalid ARP packets. These ARP packets contain invalid or incorrect IP-to-MAC address bindings.
Dynamic ARP Inspection can be used in both Dynamic Host Configuration Protocol (DHCP) and non-DHCP environments. In DHCP environments, DAI is typically implemented in conjunction with the DHCP snooping feature, which allows DAI to validate bindings based on the DHCP snooping database. However, in non-DHCP environments, DAI can also validate ARP packets against a user-defined ARP ACL, which maps hosts with a statically configured IP address to their MAC address. The DHCP snooping feature will be described in detail later in this chapter.
Figure 2 below illustrates basic DAI operation in a DHCP environment, on a Cisco Catalyst switch enabled for DAI in conjunction with DHCP snooping:
Fig. 2. DAI in Environments with DHCP Snooping
In Figure 2, DAI has been enabled on the switch to which Host 1, the compromised machine, and the file server are both connected. The switch is showing the IP-to-MAC bindings in the DHCP snooping database. Therefore, if the attacker attempts to send a GARP with a spoofed MAC address, DAI will intercept the packet, and because it has an invalid IP-to-MAC address binding, the packet will be discarded.
DAI associates a trust state with each interface on the switch. All packets that arrive on trusted interfaces bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation process. In a typical network configuration, all switch ports connected to hosts are configured as untrusted and all switch ports connected to switches (i.e. trunks) and servers are configured as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check, but because they have been validated on the host port, they pose no security threats. No other validation is needed at any other place in the VLAN or in the network. This concept is illustrated below in Figure 3:
Fig. 3. DAI Trusted and Untrusted Interfaces
As shown in Figure 3, the trunk link between the two switches is trusted. This means that ARP packets that traverse this link will not be subject to DAI validation. However, the access ports that connect Host 1 and Host 2 to the switches are untrusted. This means that ARP packets that traverse these links will be subject to DAI validation. The respective switches will discard all packets with invalid bindings that are received on these interfaces.
Configuring Dynamic ARP Inspection in a DHCP Environment
Dynamic ARP Inspection is supported on access ports, trunk ports, EtherChannel ports, or private VLAN (PVLAN) ports. Globally, DAI is enabled on a per-VLAN basis using the ip arp inspection vlan [vlan-range] global configuration command.
Once DAI has been configured for a specific VLAN or range of VLANs, all ports are untrusted, by default. In this mode, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.
When a switch port is configured as trusted, the switch does not check ARP packets that it receives on the trusted interface. Instead, it simply forwards the packets. To enable the trusted state for ports, the ip arp inspection trust interface configuration command must be configured on the trusted interface. The following output shows how to enable DAI for VLAN 5 and configure interface GigabitEthernet5/1 as a trusted interface:
| VTP-Server-1(config)#ip arp inspection vlan 5
VTP-Server-1(config)#int gigabitethernet5/1 VTP-Server-1(config-if)#description ‘Connected To DHCP Server’ VTP-Server-1(config-if)#switchport mode access VTP-Server-1(config-if)#switchport access vlan 5 VTP-Server-1(config-if)#ip arp inspection trust VTP-Server-1(config-if)#exit |
Verifying Dynamic ARP Inspection in a DHCP Environment
Dynamic ARP Inspection configuration for a particular VLAN is validated using the show ip arp inspection vlan [number] command, as illustrated in the following output, while trusted interface configuration can be validated using the show ip arp inspection interfaces [name] command as illustrated in the output that follows:
| VTP-Server-1#show ip arp inspection vlan 5
Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL —- ————- ——— ——— ———- 5 Enabled Active
Vlan ACL Logging DHCP Logging —- ———– ———— 5 Deny Deny |
| VTP-Server-1#show ip arp inspection interfaces gigabitethernet5/1
Interface Trust State Rate (pps) ————— ———– ———- Gi5/1 Trusted None |
Configuring and Verifying DAI Validation
With DAI, by default, only the MAC and IP addresses contained within the ARP reply are validated. However, Cisco IOS software allows you to configure the switch to further inspect these ARP packets via the use of the ip arp inspection validate {[src-mac] [dst-mac] [ip [allow zeros]]} command. The options that are available with this command are listed and described below in Table 1:
Table 6-2. DAI Validation Keywords
| Keyword | Description |
| src-mac | This keyword is used to compare the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. |
| dst-mac | This keyword is used to compare the destination MAC address in the Ethernet header against the target MAC address in the ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. |
| ip | This keyword is used to compare the ARP body for invalid and unexpected IP addresses, which includes 0.0.0.0, 255.255.255.255, and all IP Multicast addresses. Sender IP addresses are compared in all ARP requests and responses. Target IP addresses are checked only in ARP responses. |
| allow zeros | This keyword modifies the IP validation test so that ARPs with a sender address of 0.0.0.0 are not denied by the switch. |
The following output shows how to configure DAI to compare the ARP body for invalid and unexpected IP addresses:
| VTP-Server-1(config)#ip arp inspection vlan 5
VTP-Server-1(config)#ip arp inspection validate ip VTP-Server-1(config)#exit |
This configuration is validated using the show ip arp inspection vlan [number] command as illustrated in the following output:
| VTP-Server-1#show ip arp inspection vlan 5
Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Enabled
Vlan Configuration Operation ACL Match Static ACL —- ————- ——— ——— ———- 5 Enabled Active
Vlan ACL Logging DHCP Logging —- ———– ———— 5 Deny Deny |
Configuring Dynamic ARP Inspection in a Non-DHCP Environment
In order to configure DAI in a non-DHCP environment, you must first configure ARP ACLs that DAI will use to validate ARP packets. ARP ACLs are configured using the arp access-list [name] global configuration command. Next, configure DAI to validate packets against the ARP ACL(s) via the ip arp inspection filter [arp-acl-name] vlan [vlan-range] global configuration command.
The following output illustrates how to configure an ARP ACL to permit ARP packets from host 10.1.1.1 with a MAC address of 1a2b.1111.cdef and how to configure and verify DAI of ARP packets in VLAN 5 based on this ACL:
| VTP-Server-1(config)#arp access-list VLAN-5-ARP
VTP-Server-1(config-arp-nacl)#permit ip host 10.1.1.1 mac host 1a2b.1111.cdef VTP-Server-1(config-arp-nacl)#exit VTP-Server-1(config)#ip arp inspection filter VLAN-5-ARP vlan 5 VTP-Server-1(config)#exit |
Verifying Dynamic ARP Inspection in a Non-DHCP Environment
The show ip arp inspection command is used to validate the DAI configuration. The output of this command based on the configuration above is illustrated in the following output:
| VTP-Server-1#show ip arp inspection vlan 5
Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan Configuration Operation ACL Match Static ACL —- ————- ——— ——— ———- 5 Enabled Active VLAN-5-ARP No
Vlan ACL Logging DHCP Logging —- ———– ———— 5 Deny Deny |
NOTE: The show arp access-list [name] command can be used to view the configured ARP ACLs. This is illustrated in the following output:
| VTP-Server-1#show arp access-listARP access list VLAN-5-ARP permit ip host 10.1.1.1 mac host 1a2b.1111.cdef |
You can read the Cisco DAI notes here.
Leave a Reply