Using Dynamic ARP Inspection in DHCP Environment
December 30th, 2009
This is switch function intended for defense from attack with using ARP protocol. For instance, ARP-spoofing, which allow intercept traffic between hosts, that located in one broadcast domain.
Dynamic ARP Inspection control only ARP packets and can’t directly influence on user’s traffic or other protocols.
For proper work Dynamic ARP Inspection, it is necessary to specify which switch ports will be trusted and which will be untrusted.
• Untrusted – ports, which are connected with clients hosts. For untrusted ports always execute some ARP protocol inspections.
• Trusted – posts, which are connected with other switches. Packets received from these ports are not required in any inspections.
Some specific features DAI:
• Dynamic ARP inspection is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
• Dynamic ARP inspection is an ingress security feature; it does not perform any egress checking.
• Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses.
How it works?
Switch intercept all ARP-requests and ARP- answers on untrusted ports and before send it further check for MAC address conformity with IP address.
Checking conformity based on DHCP snooping binding database and static arp records.
Let us consider next topology:
On the switches SW1 and SW2 turn on DHCP Snooping.
Port Fa0/1 on the SW2 and Fa0/2 on the SW1 is trusted as on untrusted ports all DHCP packet from DHCP Server (and arp traffic) will be rejected.
First of all we have to configure DHCP snooping.
Configuring DHCP Snooping
On the switch SW1 turn on DHCP snooping:
SW1(config)#ip dhcp snooping
SW2(config)#ip dhcp snooping
Turn on DHCP snooping in the VLAN, which have to be protected with it.
SW1(config)#ip dhcp snooping VLAN 1
(Option) You can assign ip address authorized DHCP-server, which has to accessible via trusted port:
sw2(config)#ip dhcp-server 10.10.0.1
Configuring of the trusted ports:
SW1(config)# interface fastethernet0/1
SW1(config)#ip dhcp snooping trust
SW1(config)# interface fastethernet0/2
SW1(config)#ip dhcp snooping trust
SW2(config)# interface fastethernet0/1
SW2(config)#ip dhcp snooping trust
Configuring Option 82 (it is very important)
For clients hosts we need disable inserting option 82:
switch(config)# no ip dhcp snooping information option
Now we need check how work dhcp snooping:
Force client computer to get new ip address and find record about it in dhcp snooping database
By using command:
SW2#show ip dhcp snooping binding
Configuring Dynamic ARP Inspection
Turn on DAI in VLANs:
SW1(config)# ip arp inspection vlan 1
Configuring of the trusted ports:
SW1(config)#int f0/1
SW1(config-if)#ip dhcp snooping trust
SW2(config)#int f0/1
SW2(config-if)#ip dhcp snooping trust
And on the port which connected with other switch:
SW1(config)# interface fastethernet0/1SW1(config-if)# ip arp inspection trustSW1(config)# interface fastethernet0/2SW1(config-if)# ip arp inspection trust
As dynamic ARP inspection is an ingress security feature (it does not perform any egress checking), we do not need in our case make port f0/1 on SW2 as trusted.
To check how work ARP inspection you can use next commands:
show ip arp inspection statistics vlan 1 (Check the dynamic ARP inspection statistics)
Sources:
http://www.xgu.ru/wiki/DHCP_snooping
https://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_50_se/configuration/guide/swdynarp.html
Categories: Security Layer 2
