Note

You may wish to review Address Resolution Protocol (ARP) and Gratuitous ARP for this subject.

Dynamic ARP Inspection (DAI) is a security feature of switches that is used to filter ARP messages received on untrusted ports. DAI only filters ARP messages. All other messages are unaffected.

In DAI, all ports are untrusted by default. As a rule of thumb, all ports connected to other network devices (switches, routers) should be trusted, while interfaces connected to end hosts should remain untrusted.

Info

You might have guessed already, but DAI is very similar to DHCP Snooping, except for ARP messages instead of DHCP messages.

DAI can be used to mitigate ARP Poisoning attacks.


Operations

DAI inspects the sender MAC and sender IP fields of ARP messages received on untrusted ports, and checks that there is a matching entry in the DHCP snooping binding table.

  • If there is a matching entry, the message is forwarded normally.
  • If there is not an entry in the binding table, the message is discarded.

Note

DAI does not inspect ARP messages received on trusted ports.

ARP ACLs can be manually configured to map IP addresses/MAC addresses for DAI to check. This is useful for hosts that don’t use DHCP, as such hosts won’t have entries in the DHCP snooping binding table.

DAI can also be configured to perform additional, optional checks for more in-depth scrutiny of messages.

Like DHCP snooping, DAI also supports Rate Limiting.


Rate Limiting

DAI rate limiting is somewhat different to DHCP Snooping’s implementation.

In DAI, rate limiting is enabled by default on untrusted interfaces, with a limit of 15 packets per second. It is disabled by default on trusted interfaces.

If ARP messages are received faster than the specified rate, the interface will be err-disabled. As usual, it can be manually reset, or automatically reset with Errdisable Recovery.

Burst Interval

You can configure rate limiting like normal (‘allow X packets per second’) or you can configure a burst interval ()‘allow X packets per Y seconds’). This offers a bit more flexibility in configuring rate limiting.

(Rate Limit = X; Burst Interval = Y)


Optional Checks

There are three additional, optional checks that can be performed on inspected ARP packets:

  1. dst-mac: Destination MAC: Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body. If they mismatch then the packet is dropped. For ARP reply messages.
  2. ip: IP Address: Checks for invalid or unexpected IP addresses. These include 0.0.0.0, 255.255.255.255, and all multicast addresses. In ARP request messages the sender IP addresses are checked. In ARP reply messages the target IP addresses are checked.
  3. src-mac: Source MAC: Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. If they are mismatched the packet is dropped. For ARP request & reply messages.

ARP ACLs

ARP ACLs can be used in place of the DHCP snooping binding table to validate incoming ARP requests on untrusted interfaces. This is useful in the case of a host that does not support, or simply isn’t configured to use DHCP. Such a host couldn’t possible have an entry in the binding table, yet it needs to be able to send and receive ARP messages.

ARP ACLs can be used to manually configure mappings for hosts that aren’t in the binding table. In theory, you could use ARP ACLs to map all hosts in a network, but this would be impractical in larger networks.


Verification

  • show ip arp inspection interfaces
    • Lists all interfaces, ‘trust’ state, rate limit, and burst interval.
  • show ip arp inspection
    • Displays a summary of the DAI configuration & ARP traffic statistics.

Configuration

Cisco IOS

Note

While DHCP snooping must be enabled globally and on each VLAN, DAI only needs to be enabled on the VLANs.

  • (config)#ip arp inspection vlan vlan-number
    • Enable DAI on a VLAN
  • (config-if)#ip arp inspection trust
    • Configure an interface (or interfaces if using interface-range) as trusted.
    • Ports are untrusted by default. To make a trusted port untrusted again, simply prepend no to this command.

Optional Check Configuration

  • (config)#ip arp inspection validate [dst-mac, ip, src-mac]
    • Add optional checks to be performed on inspected packets.
    • Entering this command overwrites previous entries of it; you can’t enable each option piecemeal. To enable all the options enter them all in the same command (e.g. ... validate ip src-mac dst-mac).

Rate Limit Configuration

  • (config)#ip arp instpection limit rate packet-limit [burst interval seconds]
    • Burst interval is optional, it defaults to 1 if not specified.
  • (config)#errdisable recover cause arp-inspection
    • Configure automatic re-enabling of disabled interfaces.

ARP ACL Configuration

  • (config)#arp access-list arp-acl-name
    • Create an ARP ACL and enter arp-acl configuration mode.
  • (config-arp-nacl)#permit ip host ip address mac host MAC-address
    • Add a IP/MAC address binding to the ACL.
  • (config)#ip arp inspection filter arp-acl-name vlan vlan-number
    • Assign an ARP ACL to be used by the switch.