Dynamic ARP Inspection (DAI) is a security feature that protects ARP (Address Resolution Protocol) which is vulnerable to an attack like ARP poisoning.
DAI checks all ARP packets on untrusted interfaces, it will compare the information in the ARP packet with the DHCP snooping database and/or an ARP access-list. If the information in the ARP packet doesn’t matter, it will be dropped. In this lesson I’ll show you how to configure DAI. Here’s the topology we will use:
Above we have four devices, the router on the left side called “host” will be a DHCP client, the router on the right side is our DHCP server and on top we have a router that will be used as an attacker. The switch in the middle will be configured for dynamic ARP inspection.
Configuration
We’ll start with the switch, first we need to make sure that all interfaces are in the same VLAN:
SW1(config)#interface range fa0/1 - 3
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#switchport access vlan 123
SW1(config-if-range)#spanning-tree portfast
Now we can configure DHCP snooping:
SW1(config)#ip dhcp snooping
SW1(config)#ip dhcp snooping vlan 123
SW1(config)#no ip dhcp snooping information option
The commands above will enable DHCP snooping globally, for VLAN 123 and disables the insertion of option 82 in DHCP packets. Don’t forget to make the interface that connects to the DHCP server trusted:
SW1(config)#interface FastEthernet 0/3
SW1(config-if)#ip dhcp snooping trust
The switch will now keep track of DHCP messages. Let’s configure a DHCP server on the router on the right side:
DHCP(config)#ip dhcp pool MY_POOL
DHCP(dhcp-config)#network 192.168.1.0 255.255.255.0
That’s all we need, let’s see if the host is able to get an IP address:
HOST(config)#interface FastEthernet 0/0
HOST(config-if)#ip address dhcp
A few seconds later we see this message:
%DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0/0 assigned DHCP address 192.168.1.1, mask 255.255.255.0, hostname HOST
Let’s check if our switch has stored something in the DHCP snooping database:
SW1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:1D:A1:8B:36:D0 192.168.1.1 86330 dhcp-snooping 123 FastEthernet0/1
Total number of bindings: 1
There it is, an entry with the MAC address and IP address of our host. Now we can continue with the configuration of DAI. There’s only one command required to activate it:
SW1(config)#ip arp inspection vlan 123
The switch will now check all ARP packets on untrusted interfaces, all interfaces are untrusted by default. Let’s see if this will work or not…I’ll configure the IP address of our host on our attacker:
ATTACK(config)#interface FastEthernet 0/0
ATTACK(config-if)#ip address 192.168.1.1 255.255.255.0
Now let’s see what happens when we try to send a ping from the attacker to our DHCP router:
ATTACK#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
The ping is failing…what does our switch think of this?
SW1#
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:08 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/2, vlan 123.([0017.5aed.7af0/192.168.1.1/0000.0000.0000/192.168.1.254/01:20:10 UTC Tue Mar 2 1993])
Above you can see that all ARP requests from our attacker are dropped. The switch checks the information found in the ARP request and compares it with the information in the DHCP snooping database. Since it doesn’t match, these packets are discarded. You can find the number of dropped ARP packets with the following command:
SW1#show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
123 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
123 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
123 0 5 5 0
Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
---- ------------ ----------- ------------- -------------------
123 0 0 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
123 0 0 0
Above you see the number of drops increase. So far so good, our attacker has been stopped. We still have one problem though, let me first shut the interface on our attacker before we continue:
ATTACK(config)#interface FastEthernet 0/0
ATTACK(config-if)#shutdown
Let me show you what happens when we try to send a ping from the host to our DHCP router:
HOST#ping 192.168.1.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
This ping is failing but why? We are not spoofing anything…here’s what the switch tells us:
Hi rene, I don´t have a DHCP server. My users have Ip address static. Do I need configure ip arp inspection filter?
So I am on the final run getting ready for my CCNP Switch some areas I am weaker in was DHCP Snooping and DAI.
I created the following lab in CISCO VIRL Lab:
//cdn-forum.networklessons.com/uploads/default/original/1X/2f9a6838e03fade05064a85e5de5003bb680d647.JPG
EDITED:
I had three pages of information (lol) but decided to edit it out AS I was able to figure out everything by going back over your lesson and watching the video.
Writing on the forums really helps me to get things straight in my brain and also not feel alone when studying and stuck on something.
Thanks for the great lessons!
Hello florian
My apologies for not responding sooner!
Keep in mind that the Sender hardware address and the target hardware addresses found within the ARP packet are not the source and destination MAC addresses found in the Ethernet header. Now you are correct when you say that:
... Continue reading in our forumHello team,
I’ve noticed the tiniest typo in the text below. I think it means “like”.
https://cdn-forum.networklessons.com/uploads/default/original/2X/0/0822a66ed5ac7c3754b22181de9721cfb6dbe979.png
Hello Giovanni
It looks like the notebook is trying to obtain an IP address via DHCP, but it is unable to. The 169.254.7.64 address is a link local address that is given to a device that is configured to use DHCP, but cannot find a DHCP server. Microsoft uses this method for link local IPv4 address allocation. They call it Automatic Private IP Addressing (APIPA), and you can find out more about it here.
Having said that, it seems that the notebook is sending many DHCP requests. Based on the syslogs, it is this error that is causing the arp inspection error:
... Continue reading in our forum