DAI - jibingl/CCNA-CCNP GitHub Wiki

Dynamic ARP Inspection

  • Validate IP-to-MAC address binding based on a trusted database before forwarding the packet.
  • The trusted database normally is a DHCP snooping binding database.
  • The DHCP snooping binding database is built when the DHCP snooping feature is enabled on the VLANs and on the switch.
  • DAI inspects inbound packets only.

Protection

  • ARP cache poisoning attacks

DAI in a DHCP Environment

As mentioned earlier, DAI relies on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings. Configure each secure interface as trusted using the ip arp inspection trust interface configuration command. The trusted interfaces bypass the ARP inspection validation checks.

Enable DAI on a per-VLAN basis by using the ip arp inspection vlan [vlan-range] command from the global configuration command.

Example below shows how to configure an interface as trusted and how to enable DAI for VLANs 5 through 10.

Example: DAI in a DHCP Environment Configuration

Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip arp inspection trust
Switch(config)# ip arp inspection vlan 5-10

DAI in a Non-DHCP Environment

In non-DHCP environments, because there is no DHCP snooping binding database, the DAI can validate ARP packets against a user-defined ARP ACL to map hosts with a statically configured IP address to their MAC address.

Use the arp access-list [acl-name] command from the global configuration mode on the switch to define an ARP ACL and apply the ARP ACL to the specified VLANs on the switch.

Example below shows how to configure an ARP ACL to permit ARP packets from host IP address 10.1.1.11 with MAC address 0011.0011.0011 and how to apply this ACL to VLAN 5 with the interface configured as untrusted.

Example: DAI in a Non-DHCP Environment Configuration

Switch(config)# arp access-list arpacl
Switch(config-arp-acl)# permit ip host 10.1.1.11 mac host 0011.0011.0011
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter arpacl vlan 5
Switch(config)# interface GigabitEthernet1/0/2
Switch(config-if)# no ip arp inspection trust

Rate Limiting Incoming ARP Packets

  • Against an ARP flooding denial-of-service (DoS) attack.
  • By default, 15 pps (packets per second) is allowed on untrusted interfaces.

Reference

https://www.ciscopress.com/articles/article.asp?p=1181682&seqNum=8