Dynamic ARP Inspection (DAI)

By daxm

As mentioned in my previous post, here are my notes on DAI.

To enable DAI all is needed is 1 command:  (config)#ip arp inspection vlan <num> HOWEVER there is so much behind this simple command it is scary.

Unless additional parameters are configured DAI uses the DHCP snooping bindings table to know what IP-to-MAC-to-Interface mappings are permitted.  Here is a copy of my DHCP snooping table on my home switch:

daxm-home-switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
——————  —————  ———-  ————-  —-  ——————–
00:1E:90:EC:61:7A   192.168.1.39     2747        dhcp-snooping   1     FastEthernet1/0/1
00:22:68:15:74:1E   192.168.1.18     3528        dhcp-snooping   1     FastEthernet1/0/4
00:50:56:00:00:01   192.168.1.34     3003        dhcp-snooping   1     FastEthernet1/0/1
Total number of bindings: 3

daxm-home-switch#

What this shows is that 3 devices on my network have requested an IP address from the DHCP server and the snooping process noted the return DHCPOFFER.  With the source interface of the request, the MAC of the requestor, and the IP from the offer the switch was able to build this table.  So, if DAI uses this table to allow/deny traffic what does DAI think is going on in my network?  DAI thinks that only 3 devices exist on my network.  (2 of them are on f1/0/1 and 1 is on f1/0/4).  However, take a look at my show mac address-table dynamic ouput:

daxm-home-switch#show mac address-table dynamic
Mac Address Table
——————————————-

Vlan    Mac Address       Type        Ports
—-    ———–       ——–    —–
1    001c.c0e4.076b    DYNAMIC     Fa1/0/2
1    001e.7ac5.4658    DYNAMIC     Fa1/0/6
1    001e.90ec.617a    DYNAMIC     Fa1/0/1
1    0021.5a07.3295    DYNAMIC     Fa1/0/3
1    0022.6815.741e    DYNAMIC     Fa1/0/4
1    0022.9059.518f    DYNAMIC     Fa1/0/2
1    0040.d013.c348    DYNAMIC     Fa1/0/24
Total Mac Addresses for this criterion: 7
daxm-home-switch#

I’ve got several devices on this switch!  These “other devices” most likely don’t exist in the DHCP snooping bindings table because they have static IPs assignments (like my printer and file server).

One way to circumvent the DAI needing the DHCP snooping bindings table is setting an interface to a trusted state.  All interfaces, by default, are untrusted by DAI.  Setting an interface to trusted will cause DAI to “allow all” traffic and not inspect.  Use the (config-if)#ip arp inspection trust command to set an interface to the trusted state.

Alas, I don’t want to configure the ports connecting to my file server and printer as trusted ports though because they might get unplugged and moved to a different port (or what if a “hacker” unplugged my printer and tried to ARP poison my switch!).  I don’t like this option but the only other way I know to deal with IP-to-MAC mappings for DAI is to create a ARP ACL and associated that ACL to the arp inspection process.

I know that my printer is 192.168.1.250 and my file server is 192.168.1.252.  From my switch I ping those IPs to ensure that they are up and that their MAC addresses are known by the switch.  Using show ip arp I get the following:

daxm-home-switch#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.39            0   001e.90ec.617a  ARPA   Vlan1
Internet  192.168.1.1             0   0022.9059.518f  ARPA   Vlan1
Internet  192.168.1.251           –   0022.56f9.6440  ARPA   Vlan1
Internet  192.168.1.250           0   0021.5a07.3295  ARPA   Vlan1
Internet  192.168.1.252           0   0040.d013.c348  ARPA   Vlan1
daxm-home-switch#

Using this information I can now create my ARP ACL:

(config)#arp access-list StaticIPs
(config-arp-nacl)#permit ip host 192.168.1.252 mac host 0040.d013.c348
(config-arp-nacl)# permit ip host 192.168.1.250 mac host 0021.5a07.3295

Finally, I need to associate it with the DAI inspection process:

(config)#ip arp inspection filter StaticIPs vlan 1 (1 is my VLAN)

######################################################################

Some good verification commands:

show ip arp inspection interfaces

daxm-home-switch#show ip arp inspection interfaces

Interface        Trust State     Rate (pps)    Burst Interval
—————  ———–     ———-    ————–
Fa1/0/1          Untrusted               15                 1
Fa1/0/2          Trusted               None               N/A
Fa1/0/3          Untrusted               15                 1
Fa1/0/4          Untrusted               15                 1
Fa1/0/5          Untrusted               15                 1
Fa1/0/6          Untrusted               15                 1
Fa1/0/7          Untrusted               15                 1

show ip arp inspection

daxm-home-switch#show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

Vlan     Configuration    Operation   ACL Match          Static ACL
—-     ————-    ———   ———          ———-
1     Enabled          Active      StaticIPs          No

Vlan     ACL Logging      DHCP Logging      Probe Logging
—-     ———–      ————      ————-
1     Deny             Deny              Off

Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
—-      ———        ——-     ———-      ———
1             56              0              0              0

Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures
—-   ————    ———–  ————-   ——————-
1              4              4              0                     0

Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
—-   —————–   ———————-   ———————

Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data
—-   —————–   ———————-   ———————
1                   0                        0                       0
daxm-home-switch#

show ip dhcp snooping binding

daxm-home-switch#show ip dhcp snooping binding
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
——————  —————  ———-  ————-  —-  ——————–
00:1E:90:EC:61:7A   192.168.1.39     2649        dhcp-snooping   1     FastEthernet1/0/1
00:22:68:15:74:1E   192.168.1.18     1820        dhcp-snooping   1     FastEthernet1/0/4
00:50:56:00:00:01   192.168.1.34     2979        dhcp-snooping   1     FastEthernet1/0/1
Total number of bindings: 3

show ip arp

daxm-home-switch#show ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.1.39           15   001e.90ec.617a  ARPA   Vlan1
Internet  192.168.1.1             0   0022.9059.518f  ARPA   Vlan1
Internet  192.168.1.251           –   0022.56f9.6440  ARPA   Vlan1
Internet  192.168.1.250           8   0021.5a07.3295  ARPA   Vlan1
Internet  192.168.1.252          12   0040.d013.c348  ARPA   Vlan1

This is all well and good but if/when I add additional devices on my network, which may have static IPs, I then have to update my ARP ACL.  Yucky.

Here is a good cisco.com reference to DAI: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swdynarp.pdf



About...

This author published 11 posts in this site.

Share

FacebookTwitterEmailWindows LiveTechnoratiDeliciousDiggStumbleponMyspaceLikedin

Comments


Hemant
April 11th, 2011

Very nice article. It will surely clear any doubts anyone may have about ARP Inspection.


website design vancouver
August 1st, 2012

“Wow, great blog.Really looking forward to read more.”

Leave a comment