Untrusted interfaces undergo DAI validation

Rogue DHCP Attacker

DHCP Server

DHCP Server

To prevent ARP spoofing or "poisoning," a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting and validating all ARP requests and responses. Each intercepted ARP reply is verified for valid MAC-address-to-IP-address bindings before it is forwarded to a PC to update the ARP cache. ARP replies coming from invalid devices are dropped.

DAI determines the validity of an ARP packet based on a valid MAC-address-to-IP-address bindings database built by DHCP snooping. In addition, to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against user-configured ARP ACLs.

To ensure that only valid ARP requests and responses are relayed, DAI takes these actions:

■ Forwards ARP packets received on a trusted interface without any checks

■ Intercepts all ARP packets on untrusted ports

■ Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets that can update the local ARP cache

■ Drops, logs, or drops and logs ARP packets with invalid IP-to-MAC address bindings

Minimizing Service Loss and Data Theft in a Campus Network

Configure all access switch ports as untrusted and all switch ports connected to other switches as trusted. In this case, all ARP packets entering the network would be from an upstream distribution or core switch, bypassing the security check and requiring no further validation.

DAI can also be used to rate limit the ARP packets and then errdisable the interface if the rate is exceeded.

8-54 Building Cisco Multilayer Switched Networks (BCMSN) v3.0 © 2006 Cisco Systems, Inc.

This topic describes the commands that can be used to configure DAI.

Configuring DAI

Switch(config)#ip arp inspection vlan vlan id[,vlan id]

• Enables DAI on a VLAN or range of VLANs

Switch(config-if)#ip arp inspection trust

• Enables DAI on an interface and sets the interface as a trusted interface

Switch(config-if)#ip arp inspection validate {[src-mac] [dst-mac] [ip]}

• Configures DAI to drop ARP packets when the IP addresses are invalid

------- —u

DAI Commands

The table describes the commands used to configure DAI.

Command

Description

Switch(config)#

ip arp inspection vlan vlan id [,vlan id]

Enables DAI on a VLAN or range of VLANs

Switch(config-if)# ip arp inspection trust

Enables DAI on an interface and sets the interface as a trusted interface

Switch(config)#

ip arp inspection validate

{[src-mac] [dst-mac] [ip]}

Configures DAI to drop ARP packets when the IP addresses are invalid, or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header

It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports connected to other switches as trusted.

This example of DAI implementation illustrates the configuration required on switch 2 with port FastEthernet 3/3 as the uplink port toward the DHCP server.

Minimizing Service Loss and Data Theft in a Campus Network

Was this article helpful?

0 0

Post a comment