ARP Inspection

Dynamic ARP Inspection

Picture 1 - Packet Tracer lab (Dynamic ARP Inspection)

Dynamic ARP Inspection

The dynamic ARP inspection is the security feature available on switches to prevent the ARP (Address Resolution Protocol) spoofing or ARP poisoning attack. This is a defensive technique used by switches to monitor the ARP traffic on the network.

In this blocking technique, a switch can detect the fake ARP information by comparing the incoming ARP message with the DHCP snooping table and manually configured ARP ACLs. It means that only legitimate ARP requests and replies are forwarded by the switch.

Dynamic APR inspection can mitigate ARP spoofing and poisoning attacks, which can allow the attacker to redirect traffic, intercept, or even alter sensitive information. APR poisoning can cause traffic misdirection or network outages.

ARP validation

The DHCP snooping binding table is the database maintained by the switch when the DHCP snooping feature is enabled. The DHCP snooping table contains the following elements: IP address, MAC address, VLAN, interface port, and lease time. The DAI (Dynamic ARP Inspection) compares the Ethernet frame fields to this table to verify the legitimacy of the ARP message. It happens when any request or reply message is received on the untrusted port. The switch extracts the MAC and IP address of the sender (from the request message) and compares it against the DHCP snooping table or ARP ACLs. If the sender information does not match (IP address, MAC address, VLAN, and port), the ARP request is dropped. The same process is performed for the ARP replay message.

ARP configuration

Let's go through a few APR configurations to deploy security features on the Cisco switch.

It is required to enable DHCP snooping prior to dynamic ARP inspection. As we learned from the few akapits above, the dynamic ARP inspection does not work properly without enabling DHCP snooping. It needs a DHCP snooping table for ARO comparison.

The script listed below displays DHCP snooping configuration for all VLANs on the topology from picture 1. The DHCP snooping has been initiated on switch 3. For more details of DHCP snooping configuration, see my other lab: DHCP Snooping

Sw-3(config)#ip dhcp snooping

Sw-3(config)#ip dhcp snooping vlan 10

Sw-3(config)#ip dhcp snooping vlan 20

Sw-3(config)#ip dhcp snooping vlan 30

Sw-3(config)#int g0/2

Sw-3(config-if)#ip dhcp snooping trust

Sw-3(config-if)#end

We are now ready to raise DAI (Dynamic ARP Inspection) for switch 3, preventing APR spoofing and ARP injection. The ARP snooping configuration starts on a global level and must be completed on the selected trusted interface. In this case, the interface G0/1 is the interface of all three VLANs trustly trunked to the router R-1.

Sw-3#conf t

Sw-3(config)#ip arp inspection vlan 10

Sw-3(config)#ip arp inspection vlan 20

Sw-3(config)#ip arp inspection vlan 30

Sw-3(config)#int g0/1

Sw-3(config-if)#ip arp inspection trust

Sw-3(config-if)#end

The ARP has been configured on switch 3. The next step is to double-check that the DAI function was enabled on the switch. We use the command show ip arp inspection

There are a few more commands that can be used for DAI inspection: show ip arp inspection statistics and show ip arp inspection interfaces.

Sw-3#show ip arp inspection 


Source Mac Validation      : Disabled

Destination Mac Validation : Disabled

IP Address Validation      : Disabled


 Vlan     Configuration    Operation   ACL Match          Static ACL

 ----     -------------    ---------   ---------          ----------

   10     Enabled          Active

   20     Enabled          Active

   30     Enabled          Active


 Vlan     ACL Logging      DHCP Logging      Probe Logging

 ----     -----------      ------------      -------------

   10     Deny             Deny              Off

   20     Deny             Deny              Off

   30     Deny             Deny              Off


 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops

 ----      ---------        -------     ----------      ---------

   10              0              0              0              0

   20              0              0              0              0

   30              0              0              0              0


 Vlan   DHCP Permits    ACL Permits  Probe Permits   Source MAC Failures

 ----   ------------    -----------  -------------   -------------------

   10              0              0              0                     0

   20              0              0              0                     0

   30              0              0              0                     0


 Vlan   Dest MAC Failures   IP Validation Failures   Invalid Protocol Data

 ----   -----------------   ----------------------   ---------------------

   10                   0                        0                       0

   20                   0                        0                       0

   30                   0                        0                       0

Sw-3#

To complete this short lab, let's configure switch-2 with the snooping feature. The command lines are exactly the same as we have seen for the switch-3. We must start with global command and finalise the configuration of the trusted interface.

Sw-2#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Sw-2(config)#ip arp inspection vlan 1

Sw-2(config)#int g0/1

Sw-2(config-if)#ip arp inspection trust

Sw-2(config-if)#end

Again, we should confirm the configuration on the switch 2 with "show" commands that the settings are as we expect. 

Summary:

Dynamic ARP Inspection (DAI) is a security feature on switches designed to prevent ARP spoofing or poisoning attacks by monitoring ARP traffic within a network. This mechanism enables switches to detect fraudulent ARP information by cross-referencing incoming ARP messages against the DHCP snooping table and manually configured ARP Access Control Lists (ACLs), ensuring that only legitimate ARP requests and replies are forwarded. ARP spoofing or poisoning attacks can allow malicious actors to redirect, intercept, or alter sensitive information, leading to traffic misdirection or network outages. DAI mitigates these risks by validating ARP messages against the DHCP snooping binding table, which contains details such as IP address, MAC address, VLAN, interface port, and lease time. When an ARP request or reply is received on an untrusted port, the switch extracts the sender's MAC and IP addresses and compares them against the DHCP snooping table or ARP ACLs; if there's no match, the ARP message is dropped. To implement DAI on a Cisco switch, DHCP snooping must first be enabled, as DAI relies on the DHCP snooping table for ARP comparison. After configuring DHCP snooping for the relevant VLANs, DAI can be activated globally and on selected trusted interfaces. Verification of DAI functionality can be performed using commands like `show ip arp inspection`, `show ip arp inspection statistics`, and `show ip arp inspection interfaces`.