Dynamic ARP Inspection (DAI)
By daxm
As mentioned in my previous post, here are my notes on DAI.
To enable DAI all is needed is 1 command: (config)#ip arp inspection vlan <num> HOWEVER there is so much behind this simple command it is scary.
Unless additional parameters are configured DAI uses the DHCP snooping bindings table to know what IP-to-MAC-to-Interface mappings are permitted. Here is a copy of my DHCP snooping table on my home switch:
daxm-home-switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
00:1E:90:EC:61:7A 192.168.1.39 2747 dhcp-snooping 1 FastEthernet1/0/1
00:22:68:15:74:1E 192.168.1.18 3528 dhcp-snooping 1 FastEthernet1/0/4
00:50:56:00:00:01 192.168.1.34 3003 dhcp-snooping 1 FastEthernet1/0/1
Total number of bindings: 3daxm-home-switch#
What this shows is that 3 devices on my network have requested an IP address from the DHCP server and the snooping process noted the return DHCPOFFER. With the source interface of the request, the MAC of the requestor, and the IP from the offer the switch was able to build this table. So, if DAI uses this table to allow/deny traffic what does DAI think is going on in my network? DAI thinks that only 3 devices exist on my network. (2 of them are on f1/0/1 and 1 is on f1/0/4). However, take a look at my show mac address-table dynamic ouput:
daxm-home-switch#show mac address-table dynamic
Mac Address Table
——————————————-Vlan Mac Address Type Ports
—- ———– ——– —–
1 001c.c0e4.076b DYNAMIC Fa1/0/2
1 001e.7ac5.4658 DYNAMIC Fa1/0/6
1 001e.90ec.617a DYNAMIC Fa1/0/1
1 0021.5a07.3295 DYNAMIC Fa1/0/3
1 0022.6815.741e DYNAMIC Fa1/0/4
1 0022.9059.518f DYNAMIC Fa1/0/2
1 0040.d013.c348 DYNAMIC Fa1/0/24
Total Mac Addresses for this criterion: 7
daxm-home-switch#
I’ve got several devices on this switch! These “other devices” most likely don’t exist in the DHCP snooping bindings table because they have static IPs assignments (like my printer and file server).
One way to circumvent the DAI needing the DHCP snooping bindings table is setting an interface to a trusted state. All interfaces, by default, are untrusted by DAI. Setting an interface to trusted will cause DAI to “allow all” traffic and not inspect. Use the (config-if)#ip arp inspection trust command to set an interface to the trusted state.
Alas, I don’t want to configure the ports connecting to my file server and printer as trusted ports though because they might get unplugged and moved to a different port (or what if a “hacker” unplugged my printer and tried to ARP poison my switch!). I don’t like this option but the only other way I know to deal with IP-to-MAC mappings for DAI is to create a ARP ACL and associated that ACL to the arp inspection process.
I know that my printer is 192.168.1.250 and my file server is 192.168.1.252. From my switch I ping those IPs to ensure that they are up and that their MAC addresses are known by the switch. Using show ip arp I get the following:
daxm-home-switch#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.39 0 001e.90ec.617a ARPA Vlan1
Internet 192.168.1.1 0 0022.9059.518f ARPA Vlan1
Internet 192.168.1.251 - 0022.56f9.6440 ARPA Vlan1
Internet 192.168.1.250 0 0021.5a07.3295 ARPA Vlan1
Internet 192.168.1.252 0 0040.d013.c348 ARPA Vlan1
daxm-home-switch#
Using this information I can now create my ARP ACL:
(config)#arp access-list StaticIPs
(config-arp-nacl)#permit ip host 192.168.1.252 mac host 0040.d013.c348
(config-arp-nacl)# permit ip host 192.168.1.250 mac host 0021.5a07.3295
Finally, I need to associate it with the DAI inspection process:
(config)#ip arp inspection filter StaticIPs vlan 1 (1 is my VLAN)
######################################################################
Some good verification commands:
show ip arp inspection interfaces
daxm-home-switch#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
————— ———– ———- ————–
Fa1/0/1 Untrusted 15 1
Fa1/0/2 Trusted None N/A
Fa1/0/3 Untrusted 15 1
Fa1/0/4 Untrusted 15 1
Fa1/0/5 Untrusted 15 1
Fa1/0/6 Untrusted 15 1
Fa1/0/7 Untrusted 15 1…
show ip arp inspection
daxm-home-switch#show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : DisabledVlan Configuration Operation ACL Match Static ACL
—- ————- ——— ——— ———-
1 Enabled Active StaticIPs NoVlan ACL Logging DHCP Logging Probe Logging
—- ———– ———— ————-
1 Deny Deny OffVlan Forwarded Dropped DHCP Drops ACL Drops
—- ——— ——- ———- ———
1 56 0 0 0Vlan DHCP Permits ACL Permits Probe Permits Source MAC Failures
—- ———— ———– ————- ——————-
1 4 4 0 0Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
—- —————– ———————- ———————Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
—- —————– ———————- ———————
1 0 0 0
daxm-home-switch#
show ip dhcp snooping binding
daxm-home-switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
—————— ————— ———- ————- —- ——————–
00:1E:90:EC:61:7A 192.168.1.39 2649 dhcp-snooping 1 FastEthernet1/0/1
00:22:68:15:74:1E 192.168.1.18 1820 dhcp-snooping 1 FastEthernet1/0/4
00:50:56:00:00:01 192.168.1.34 2979 dhcp-snooping 1 FastEthernet1/0/1
Total number of bindings: 3
show ip arp
daxm-home-switch#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.1.39 15 001e.90ec.617a ARPA Vlan1
Internet 192.168.1.1 0 0022.9059.518f ARPA Vlan1
Internet 192.168.1.251 - 0022.56f9.6440 ARPA Vlan1
Internet 192.168.1.250 8 0021.5a07.3295 ARPA Vlan1
Internet 192.168.1.252 12 0040.d013.c348 ARPA Vlan1
This is all well and good but if/when I add additional devices on my network, which may have static IPs, I then have to update my ARP ACL. Yucky.
Here is a good cisco.com reference to DAI: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swdynarp.pdf
January 31st, 2010
This author published 8 posts in this site.Share
Hemant
April 11th, 2011
Very nice article. It will surely clear any doubts anyone may have about ARP Inspection.