You are here: Home » Switching

DAI (Dynamic ARP Inspection)

Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack ike ARP poisoning.

DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t matter, it will be dropped. In this lesson I’ll show you how to configure DAI. Here’s the topology we will use:

Above we have four devices, the router on the left side called “host” will be a DHCP client, the router on the right side is our DHCP server and on top we have a router that will be used as an attacker. The switch in the middle will be configured for dynamic ARP inspection.

Configuration

We’ll start with the switch, first we need to make sure that all interfaces are in the same VLAN:

SW1(config)#interface range fa0/1 - 3
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 123
SW1(config-if-range)#spanning-tree portfast

Now we can configure DHCP snooping:

SW1(config)#ip dhcp snooping 
SW1(config)#ip dhcp snooping vlan 123
SW1(config)#no ip dhcp snooping information option

The commands above will enable DHCP snooping globally, for VLAN 123 and disables the insertion of option 82 in DHCP packets. Don’t forget to make the interface that connects to the DHCP server trusted:

SW1(config)#interface FastEthernet 0/3
SW1(config-if)#ip dhcp snooping trust

The switch will now keep track of DHCP messages. Let’s configure a DHCP server on the router on the right side:

DHCP(config)#ip dhcp pool MY_POOL
DHCP(dhcp-config)#network 192.168.1.0 255.255.255.0

That’s all we need, let’s see if the host is able to get an IP address:

HOST(config)#interface FastEthernet 0/0
HOST(config-if)#ip address dhcp

A few seconds later we see this message:

%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.1, mask 255.255.255.0, hostname HOST

Let’s check if our switch has stored something in the DHCP snooping database:

SW1#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
00:1D:A1:8B:36:D0   192.168.1.1      86330       dhcp-snooping   123   FastEthernet0/1
Total number of bindings: 1

There it is, an entry with the MAC address and IP address of our host. Now we can continue with the configuration of DAI. There’s only one command required to activate it:

SW1(config)#ip arp inspection vlan 123

The switch will now check all ARP packets on untrusted interfaces, all interfaces are untrusted by default. Let’s see if this will work or not…I’ll configure the IP address of our host on our attacker:

ATTACK(config)#interface FastEthernet 0/0
ATTACK(config-if)#ip address 192.168.1.1 255.255.255.0

Now let’s see what happens when we try to send a ping from the attacker to our DHCP router:

ATTACK#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

The ping is failing…what does our switch think of this?

SW1#
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:08 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])

Above you can see that all ARP requests from our attacker are dropped. The switch checks the information found in the ARP request and compares it with the information in the DHCP snooping database. Since it doesn’t match, these packets are discarded. You can find the number of dropped ARP packets with the following command:

SW1#show ip arp inspection 

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
  123     Enabled          Active                         

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
  123     Deny             Deny              Off          

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      ---------
  123              0              5              5              0

 Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
 ----   ------------    -----------  -------------   -------------------
  123              0              0              0                     0

 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
          
 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
 ----   -----------------   ----------------------   ---------------------
  123                   0                        0                       0

Above you see the number of drops increase. So far so good, our attacker has been stopped. We still have one problem though, let me first shut the interface on our attacker before we continue:

ATTACK(config)#interface FastEthernet 0/0
ATTACK(config-if)#shutdown

Let me show you what happens when we try to send a ping from the host to our DHCP router:

HOST#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

This ping is failing but why? We are not spoofing anything…here’s what the switch tells us:[teaser]

SW1#
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:48 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:50 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:52 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:54 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/3, vlan 123.([0016.c7be.0ec8/192.168.1.254/001d.a18b.36d0/192.168.1.1/01:24:56 UTC Tue Mar 2 1993])

Our switch is dropping ARP replies from the DHCP router to our host. Since the DHCP router has no idea how to reach the host, the ping is failing:

HOST#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.1             -   001d.a18b.36d0  ARPA   FastEthernet0/0
Internet  192.168.1.254           0   Incomplete      ARPA

DHCP#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.1             0   001d.a18b.36d0  ARPA   FastEthernet0/0
Internet  192.168.1.254           -   0016.c7be.0ec8  ARPA   FastEthernet0/0

Why is the switch dropping the ARP reply? The problem is that the DHCP router is using a static IP addresses. DAI checks the DHCP snooping database for all packets that arrive on untrusted interfaces, when it doesn’t find a match…the ARP packet is dropped. To fix this, we need to create a static entry for our DHCP router:

SW1(config)#arp access-list DHCP_ROUTER
SW1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0016.c7be.0ec8

First we create an ARP access-list with a permit statement for the IP address and MAC address of the DHCP router. Now we need to apply this to DAI:

SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123 ?     
  static  Apply the ACL statically

We use the ip arp inspection filter command for this but you have to be careful…if you use the “static” parameter then we tell the switch not to check the DHCP snooping database. It will only check our ARP access-list and when it doesn’t find an entry, the ARP packet will be dropped. Make sure you add the filter without the static parameter:

SW1(config)#ip arp inspection filter DHCP_ROUTER vlan 123

There we go. The switch will now check the ARP access-list first and when it doesn’t find a match, it will check the DHCP snooping database. Let’s try that ping again:

HOST#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

Excellent our ping is now working because of the static entry for the DHCP router. Another way to deal with this issue is to configure the interface as trusted. DAI will allow all ARP packets on trusted interfaces:

SW1(config)#interface FastEthernet 0/3
SW1(config-if)#ip arp inspection trust

Anything else we can do with DAI? There are some additional security checks you can enable if you want:

SW1(config)#ip arp inspection validate ?
  dst-mac  Validate destination MAC address
  ip       Validate IP addresses
  src-mac  Validate source MAC address

Here’s what these options mean:

dst-mac: checks the destination MAC address in the Ethernet header against the target MAC address in the ARP packet. This check is performed for ARP replies. ARP replies with different MAC addresses will be dropped.
ip: checks for invalid and unexpected IP addresses. For example 0.0.0.0, 255.255.255.255 and multicast addresses.
src-mac: checks the source MAC address in the Ethernet header against the sender’s MAC address in the ARP packet. This check is performed for both ARP requests and replies. ARP packets with different MAC addresses will be dropped.

You can only enable one of these options at the same time. Here’s an example how to enable the dst-mac check:

SW1(config)#ip arp inspection validate dst-mac

Last but not least, we can also configure ARP rate-limiting. By default there is a limit of 15 pps for ARP traffic on untrusted interfaces. Here’s how you can change it:

SW1(config)#interface FastEthernet 0/1
SW1(config-if)#ip arp inspection limit rate 10

This interface now only allows 10 ARP packets per second.

Conclusion

That’s all we have for DAI (Dynamic ARP Inspection). It’s a nice security feature but make sure that you have ARP access-lists in place for all devices with static IP addresses before you enable this. You don’t want to block most of your traffic after enabling this.

Configurations

Want to take a look for yourself? Here you will find the configuration of each device.

SW1

hostname SW1
!
ip dhcp snooping vlan 123
no ip dhcp snooping information option
ip dhcp snooping
ip arp inspection vlan 123
ip arp inspection validate src-mac 
!
interface FastEthernet0/1
 switchport access vlan 123
 switchport mode access
 ip arp inspection limit rate 10
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 123
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 123
 switchport mode access
 ip arp inspection trust
 spanning-tree portfast
 ip dhcp snooping trust       
!
arp access-list DHCP_ROUTER
 permit ip host 192.168.1.254 mac host 0016.c7be.0ec8 
!end

HOST

hostname HOST
!
interface FastEthernet0/0
 ip address dhcp
 duplex auto
 speed auto
!end

ATTACK

hostname ATTACK
!
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 shutdown
 duplex auto
 speed auto
!
end

DHCP

hostname DHCP
!
ip dhcp pool MY_POOL
 network 192.168.1.0 255.255.255.0
!
interface FastEthernet0/0
 ip address 192.168.1.254 255.255.255.0
 duplex auto
 speed auto
!
end

I hope you enjoyed this lesson, if you have any questions feel free to leave a comment below.

Previous Lesson
ARP Poisoning

Next Lesson
Cisco IOS SPAN and RSPAN

Tags: ARP, Security

Notable Replies

santiesteban51 says:

Hi rene, I don´t have a DHCP server. My users have Ip address static. Do I need configure ip arp inspection filter?
ReneMolenaar says:

Hi Alberto,

If you feel ARP poisoning is a risk on your network then you could implement it. However if you use static addresses then it’s probably not worth the effort.

DAI is very useful when you use DHCP as it relies on the DHCP snooping database. When you use DHCP then DAI will work for all address leases and we use the static entries only for some static devices like routers or servers.

If you have to implement this for all your users then it might be quite some work…

Rene
ReneMolenaar says:

Hi Zaman,

There is one other method if you don’t have a DHCP server. You can create static ARP bindings in the ARP snooping database.

Rene
wilder7bc says:

So I am on the final run getting ready for my CCNP Switch some areas I am weaker in was DHCP Snooping and DAI.

I created the following lab in CISCO VIRL Lab:

EDITED:
I had three pages of information (lol) but decided to edit it out AS I was able to figure out everything by going back over your lesson and watching the video.

Writing on the forums really helps me to get things straight in my brain and also not feel alone when studying and stuck on something.

Thanks for the great lessons!
lagapides says:

Hello florian

My apologies for not responding sooner!

Keep in mind that the Sender hardware address and the target hardware addresses found within the ARP packet are not the source and destination MAC addresses found in the Ethernet header. Now you are correct when you say that:

florianl:

the frame would be switched to the host with the respective MAC from the Ethernet header but then the host would check the MAC in the ARP body and realize its not his and drop the frame,

DAI will cause such frames to drop so that they don’t actually reach the host. These are illegitimate packets and most likely come from a malicious source, so they should not be sent to the host. The host will not have to waste time and resources processing them.

florianl:

Also, how is it possible to deny Gratuitous ARP´s, as i thought those are a vital part of every interface for example!?

As for this question, my apologies. I had the no ip gratuitous-arp command in mind but this just disables the sending of gratuitous ARP packets by the device itself and not the blocking of such packets from hosts.

I hope this has been helpful!

Laz

Continue the discussion forum.networklessons.com

19 more replies!

NetworkLessons.com