Dynamic ARP Inspection

Chapter 5, "Leveraging DHCP Weaknesses," explained that Layer 3 switches can inspect DHCP traffic to prevent attacks against the DHCP.

DHCP snooping also means that the switch now knows the <IP, MAC> mapping for all hosts using DHCP. With this correct mapping knowledge, the switch can inspect all ARP traffic and check whether the information inside the ARP replies is valid; if it's not, the switch simply drops the ARP packet. This technique is called Dynamic ARP Inspection (DAI).

NOTE DAI does not affect normal ARP traffic (normal ARP requests and replies and not faked gratuitous ARP). Only forged gratuitous ARP packets are dropped.

DAI in Cisco IOS

The DAI configuration in a Cisco IOS switch is straightforward. Let's first look at the learned <IP, MAC> mappings; this table is called the DHCP binding table. Example 6-4

shows the DHCP binding table (assuming that DHCP snooping was already configured, as Chapter 5 discusses).

Example 6-4 Content of a DHCP Binding Table shows the DHCP binding table (assuming that DHCP snooping was already configured, as Chapter 5 discusses).

Example 6-4 Content of a DHCP Binding Table

# sh ip dhcp snooping binding

MacAddress IpAddress





00:03:47:B5:9F:AD 00:03:47:c4:6f:83

193185 213454

dhcp dhcp

snooping snooping

4 4

FastEthernet3/18 FastEthermet3/21

Example 6-5 shows all the Cisco IOS configuration commands to turn on DAI.

Example 6-5 Enabling DAI in Cisco IOS

Switch(config)# ip arp inspection vlan 100 Switch(config)# interface Gi1/1 Switch(config-if)# ip arp inspection trust

The first line globally enables DAI on VLAN 100. Of course, multiple VLAN can be listed in the command.

If multiple switches are in VLAN 100, not all of them are able to learn the DHCP binding of hosts attached to another switch because they will not see the DHCP traffic. Therefore, DAI cannot be enabled on the uplinks. However, because the switches attached to the uplinks can usually be trusted (for example, they also run DAI), it is safe to assume that ARP packets coming from those uplinks can be trusted, which is the purpose of the last two lines in Example 6-5.

In the case of an ARP spoofing attack, Cicso IOS generates a log event:

1w2d: %SW_DAI-4-INVALID_ARP: 9 Invalid ARPs (Req) on Gi3/31, vlan 100.([0002.0002.0002/ UTC Fri Feb 4 2005])

The DAI also keeps a history of all violations, as Example 6-6 shows. Example 6-6 Event Log

SwitchB# show ip arp inspection log

Total Log Buffer Size : 1024

Syslog rate : 100 entries per 10 seconds.

Interface Vlan Sender MAC Sender IP Num Pkts Reason Time

Gi3/31 100 0002.0002.0002 5 DHCP Deny 02:30:24 UTC

Fri Feb 4 2005

In Example 6-7, the first line shows how to configure the violation log buffer to 1024 entries. The second line specifies that it takes 100 spoofed ARP replies to generate a log event every 10 seconds during an attack.

Example 6-7 Advanced DAI in Cisco IOS

SwitchB(config)# ip arp inspection log-buffer entries 1024 SwitchB(config)# ip arp inspection log-buffer logs 100 interval 10

SwitchB(config)# SwitchB(config)# interface Fa1/1

SwitchB(config-if)# ip arp inspection limit rate 100 burst interval 1

Because DAI is CPU intensive, there is a rate limit upon which ARP frames are forwarded to the switch's CPU; otherwise, the switch CPU might be overwhelmed with ARP traffic and might be unable to keep the Open Shortest Path First (OSPF) process running, which leads to severe routing stability issues.

This rate limiter is configured in the last two lines of Example 6-7. In this example, if the switch receives more than 100 ARP packets per second (pps) on interface FastEthernet 1/1, the port is err-disabled to protect the switch's CPU.

Which ARP Rate Threshold?

The rate limit must carefully be selected and must be larger than the peak ARP traffic in your network.

The extreme case for peak ARP traffic should be taken into account; this is a new server joins the LAN and all other hosts in the same LAN try to communicate with the new server (all within the same second). As each host generates an ARP request and receives an ARP reply; the rate limit should be twice the number of hosts in the LAN to allow the normal two ARP packets per host.

If some hosts are not using DHCP but have static IP addresses, they can also be protected by manually entering the <IP, MAC> binding:

SwitchB(config)# ip source binding 0000.0000.0001 vlan 100 interface fastethernet 3/1

Cisco IOS also supports verifying the validity of ARP traffic by checking whether the Ethernet header contains the same MAC addresses as the ARP payload.

DAI in CatOS

DAI is available in CatOS switches (for example, on Sup720 with PFC3A). Check the documentation on Cisco.com to see whether this mechanism is available on a specific platform.

Example 6-8 shows how DAI is globally configured and how port 2/2 is declared trusted (because it is an uplink to other switches in the same VLAN). DHCP snooping must be previously configured, obviously.

Example 6-8 DAI in CatOS

Console> (enable) set security acl arp-inspection dynamic enable 100

Dynamic ARP Inspection is enabled for vlan(s) 100. Console> (enable) set port arp-inspection 2/2 trust enable Port(s) 2/2 state set to trusted for ARP Inspection. Console> (enable) set security acl arp-inspection dynamic log enable

Dynamic ARP Inspection logging enabled.

Of course, CatOS can rate-limit per port the number of ARP packets a port sends to the CPU per minute:

Console> (enable) set port arp-inspection 3/1 drop-threshold 700 shutdown-threshold 800

Drop Threshold=700, Shutdown Threshold=800 set on port 3/1.

If the rate exceeds 700 pps, the ARP packets are simply dropped. If the rate exceeds 800, the port is shut down. This threshold must be tuned based on the baseline ARP traffic as well as on the switch CPU power (see the discussion when DAI in IOS was described previously).

CatOS can also rate-limit the total number of packets (including ARP, DHCP, and IEEE 802.1X) sent globally to the CPU:

Console> (enable) set security acl feature ratelimit 1000

Dot1x DHCP and ARP Inspection global rate limit set to 1000 pps

CatOS can also drop ARP packets with illegal content (such as an address or ffif.ffif.ffif as the legal MAC address of a host):

Console> (enable) set security acl arp-inspection address-validation enable drop

ARP Inspection address-validation feature enabled with drop option.

Was this article helpful?

0 0

Post a comment