Cisco Dynamic ARP Inspection (DAI)¶
Overview¶
Within a Layer 2 broadcast domain, hosts can be vulnerable to MAC spoofing attacks as there is is no way to verify that indeed the host that replied to a ARP request is indeed to host who owns the required IP address.
Hosts will also accept a gratuitous ARP reply even when they have not requested this information leading to a compromise of the hosts ARP cache.
Cisco’s Dynamic ARP Inspection (DAI) feature can help prvent these types of attacks by ensuring only valid ARP requests and response are relayed. It does this by relying on an existing trusted database, either statically configured or via the DHCP snooping databae.
Hosts are considdered either trusted or untrusted. Commonly connections between other switches are trusted whereas those connected to host devices are untrusted. Trusted ports bypass the DAI security checks.
DAI should be enabled on all switches as if one switch does not have DAI enabled and is connected to a trusted port, even if the other switch has DAI enabled it will trust all the ARP/MAC information from the non-DAI switch.
DAI also can be used to prevent ARP DoS attacks by rate limiting the number of ARP packets that are incoming. By default the rate is 15 pps on untrusted interaces. If this rate is existed the port is put in an error disabled state and by default manual intervention is required to recover the port but error disable recovery can also be enabled to recover the port after a given period of time.
DAI can be combined with an ARP ACL to filter packets irrelevent of the DHCP snooping database. If a packet is denied by the ARP ACL is will be dropped irrespectivve of any entries in the DHCP snooping ddatabase.
Implementation¶
By default DAI is disable on all VLANS and all interfaces are configured as untrusted.
The default rate limiting of incoming ARP packets is 15pps on untrusted interfaces with a burst interval of 1 second. There is no rate limiting applied on trusted interfaces.
No additional validation checks are performed by default.
DAI only checks packets as they are incoming, nothing is checked for packets leaving an interface.
DHCP Snooping must be enabled prior to enabling DAI. If DHCP Snooping is not enabled or in non-DHCP environment, use ARP ACLS to permit or deny packets on a per-vlan basis.
Configuration Steps¶
- Enable DHCP Snooping (if required)
- Enable DAI on the VLAN(s)
- Configure the DAI interface trust state
- Applying ARP ACLs for DAI Filtering
- Configure ARP Packet Rate Limiting
- Enabling DAI error-disabled recovery
- Configure additional validation
- Configure DAI Logging
Enable DHCP Snooping
If DAI needs to be able to check the DHCP database, ensure the DHCP snooping is enabled on the same VLAN as DAI and also enabled globally on the switch.
Refer to the Cisco DHCP Snooping section for further information
Enable DAI on the VLAN(s)
DAI is enabled on a per-VLAN basis not globally as follows:
ip arp inspection vlan {vlan-id> | <vlan-range>}
Configure the DAI interface trust state
By default all interface are untrusted, for ports connected to other switches the ports should be configured as trusted.
interface <type/num>
ip arp inspection [trust | untrust]
Apply ARP ACL for DAI filtering
If you want to specifically deny/allow certain MAC Addresses irrespective of the DHCP Snooping database an ARP ACL can be used on a per VLAN basis.
ip arp inspecion filter <arp-acl-name> vlan {vlan-id> | <vlan-range>} [static]
If the static keyword is specified an explicit deny will be used meaning that any entries in the DHCP Snooping database will not be used. Without this the DHCP snooping database will be consulted to determine if a packet should be denied or not.
Configure ARP rate limiting
Configuring rate limiting can assist with prevenint ARP based denial of service attacks such as DoS and CAM table floooding. By default if more than 15 ARP packets are seen per second it will be seen as an attack and the port will be error disabled.
interface <type/num>
[no] ip arp inspection limit {rate <pps> [burst interval <seconds>] | none}
Using the no version of the command does not disable rate limiting, it simply returns it to the default rate-limiting value.
Enable DAI Error-Disabled Recovery
To ease the administrative burden of manually recovering ports due to DAI, the switch can be configured to automatically recover the port after a certain amount of time:
Enable additional validation
By default DAI will discard ARP packets with invalid IP-to-MAC address bindings. Additional verification can be enabled for:
- Destination MAC (Verifies the target MAC in Ethernet to target MAC in ARP)
- Sender/Target IP addresses (Checks for invalid/unexpect IPS, such as wildcard or broadcast)
- Source MAC (verifies source MAC in ethernet against sender MAC in ARP body for both requess and responds)
ip arp inspection validate {[dst-mac] [ip] [src-mac]}
DAI Logging
If a packet is dropped by DAI an entry is logged in the buffer which is rate-controlled. This entry will include the receiving VLAN, port number, source and destination IP an MAC details.
Because of the rate control, a single log entry may represent more than one packet. If many packets on the same VLAN with same ARP parameters, DAI combines this into a single log buffer entry.
The buffer size can be configured with:
ip arp inspection log-buffer entries <number>
The aggregation of events can be controlled through:
ip arp inspection log-buffer logs <num-of-msgs> interval <seconds>
For example, if the number of messages is set to 12 and the interval is set to 2 seconds, 12 messages will be logged every 2 seconds (assuming an event occurs).
The types of log entries can also be controlled as follows:
ip arp inspection vlan <vlan-range> logging {acl-match {matchlog | none} | dhcp-bindings {all | none | permit}}
Monitoring and Troubleshooting¶
The follow commands can be useful for troubleshooting and monitoring DAI:
! display the ARP ACLs
show arp access-list [<acl-name>]
! Displays the current DAI status and ACL configuration per vlan as well as any additional validations
show ip arp inspection vlan {vlan-id> | <vlan-range>}
! Displays the current trust stte, rate and burst interval of each interface
show ip arp inspection interfaces
! Disables the recovery status for the various causes
show errdisable recovery
! Displays the ARP inspection log
show ip arp inspecion log