Scribd
Upload
59 views

Configuring Dynamic ARP Inspection: Understanding DAI

The document discusses configuring Dynamic ARP Inspection (DAI) on Cisco Catalyst 6500 series switches. It describes DAI as a security feature that helps prevent ARP spoofing attacks by intercepting and validating ARP packets. The PFC3 supports DAI, while the PFC2 does not. The document provides an overview of ARP, ARP spoofing attacks, and how DAI protects against spoofing by intercepting and validating ARP packets using the DHCP snooping binding database before forwarding. It also describes interface trust states and the importance of proper trust configuration to avoid connectivity issues.

Uploaded by

nggianglx
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
59 views

Configuring Dynamic ARP Inspection: Understanding DAI

The document discusses configuring Dynamic ARP Inspection (DAI) on Cisco Catalyst 6500 series switches. It describes DAI as a security feature that helps prevent ARP spoofing attacks by intercepting and validating ARP packets. The PFC3 supports DAI, while the PFC2 does not. The document provides an overview of ARP, ARP spoofing attacks, and how DAI protects against spoofing by intercepting and validating ARP packets using the DHCP snooping binding database before forwarding. It also describes interface trust states and the importance of proper trust configuration to avoid connectivity issues.

Uploaded by

nggianglx
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

C H A P T E R 38

Configuring Dynamic ARP Inspection

This chapter describes how to configure dynamic Address Resolution Protocol (ARP) inspection (DAI)
on the Catalyst 6500 series switch. The PFC3 supports DAI with Release 12.2(18)SXE and later
releases. The PFC2 does not support DAI.

Note For complete syntax and usage information for the commands used in this chapter, refer to the Cisco IOS
Master Command List, Release 12.2SX at this URL:
http://www.cisco.com/en/US/docs/ios/mcl/122sxmcl/12_2sx_mcl_book.html

This chapter consists of these sections:


• Understanding DAI, page 38-1
• Default DAI Configuration, page 38-5
• DAI Configuration Guidelines and Restrictions, page 38-5
• Configuring DAI, page 38-6
• DAI Configuration Samples, page 38-16

Understanding DAI
These sections describe how DAI helps prevent ARP spoofing attacks:
• Understanding ARP, page 38-1
• Understanding ARP Spoofing Attacks, page 38-2
• Understanding DAI and ARP Spoofing Attacks, page 38-2

Understanding ARP
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC
address. For example, Host B wants to send information to Host A but does not have the MAC address
of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast
domain to obtain the MAC address associated with the IP address of Host A. All hosts within the
broadcast domain receive the ARP request, and Host A responds with its MAC address.

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-1
Chapter 38 Configuring Dynamic ARP Inspection
Understanding DAI

Understanding ARP Spoofing Attacks


ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from
a host even if an ARP request was not received. After the attack, all traffic from the device under attack
flows through the attacker’s computer and then to the router, switch, or host.
An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by
poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for
other hosts on the subnet. Figure 38-1 shows an example of ARP cache poisoning.

Figure 38-1 ARP Cache Poisoning

A B
Host A Host B
(IA, MA) (IB, MB)
C

111750
Host C (man-in-the-middle)
(IC, MC)

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same
subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA
and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an
ARP request for the MAC address associated with IP address IB. When the switch and Host B receive
the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA
and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B
responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address
IB and the MAC address MB.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP
responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts
with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended
for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC
addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the
correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to
Host B, which is the topology of the classic man-in-the middle attack.

Understanding DAI and ARP Spoofing Attacks


DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP
packets with invalid IP-to-MAC address bindings. This capability protects the network from some
man-in-the-middle attacks.
DAI ensures that only valid ARP requests and responses are relayed. The switch performs these
activities:
• Intercepts all ARP requests and responses on untrusted ports
• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet to the appropriate destination
• Drops invalid ARP packets

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-2 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
Understanding DAI

DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a
trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if
DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted
interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch
forwards the packet only if it is valid.
DAI can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with
statically configured IP addresses (see “Applying ARP ACLs for DAI Filtering” section on page 38-8).
The switch logs dropped packets (see the “Logging of Dropped Packets” section on page 38-4).
You can configure DAI to drop ARP packets when the IP addresses in the packets are invalid or when
the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet
header (see the “Enabling Additional Validation” section on page 38-11).

Interface Trust States and Network Security


DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces
bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation
process.
In a typical network configuration, you configure all switch ports connected to host ports as untrusted
and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets
entering the network from a given switch bypass the security check. No other validation is needed at any
other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection
trust interface configuration command.

Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be
trusted can result in a loss of connectivity.

In Figure 38-2, assume that both Switch A and Switch B are running DAI on the VLAN that includes
Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to
Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between
Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B.
Connectivity between Host 1 and Host 2 is lost.

Figure 38-2 ARP Packet Validation on a VLAN Enabled for DAI

DHCP server

A B
Port 6/3 Port 3/3
130194

Host 1 Host 2

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-3
Chapter 38 Configuring Dynamic ARP Inspection
Understanding DAI

Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the
network. If Switch A is not running DAI, Host 1 can easily poison the ARP cache of Switch B (and Host
2, if the link between the switches is configured as trusted). This condition can occur even though
Switch B is running DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the
ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the
network from poisoning the caches of the hosts that are connected to a switch running DAI.
In cases in which some switches in a VLAN run DAI and other switches do not, configure the interfaces
connecting such switches as untrusted. However, to validate the bindings of packets from switches where
DAI is not configured, configure ARP ACLs on the switch running DAI. When you cannot determine
such bindings, isolate switches running DAI at Layer 3 from switches not running DAI. For
configuration information, see the “Sample Two: One Switch Supports DAI” section on page 38-20.

Note Depending on the setup of the DHCP server and the network, it might not be possible to validate a given
ARP packet on all switches in the VLAN.

Rate Limiting of ARP Packets


The switch performs DAI validation checks, which rate limits incoming ARP packets to prevent a
denial-of-service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps).
Trusted interfaces are not rate limited. You can change this setting by using the ip arp inspection limit
interface configuration command.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the
error-disabled state. The port remains in that state until you intervene. You can use the errdisable
recovery global configuration command to enable error disable recovery so that ports automatically
emerge from this state after a specified timeout period.
For configuration information, see the “Configuring ARP Packet Rate Limiting” section on page 38-9.

Relative Priority of ARP ACLs and DHCP Snooping Entries


DAI uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs
only if you configure them by using the ip arp inspection filter global configuration command. The
switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP
packet, the switch also denies the packet even if a valid binding exists in the database populated by
DHCP snooping.

Logging of Dropped Packets


When the switch drops a packet, it places an entry in the log buffer and then generates system messages
on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer.
Each log entry contains flow information, such as the receiving VLAN, the port number, the source and
destination IP addresses, and the source and destination MAC addresses.

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-4 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
Default DAI Configuration

You use the ip arp inspection log-buffer global configuration command to configure the number of
entries in the buffer and the number of entries needed in the specified interval to generate system
messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging
global configuration command. For configuration information, see the “Configuring DAI Logging”
section on page 38-12.

Default DAI Configuration


Table 38-1 shows the default DAI configuration.

Table 38-1 Default DAI Configuration

Feature Default Setting


DAI Disabled on all VLANs.
Interface trust state All interfaces are untrusted.
Rate limit of incoming ARP packets The rate is 15 pps on untrusted interfaces, assuming that
the network is a Layer 2-switched network with a host
connecting to as many as 15 new hosts per second.
The rate is unlimited on all trusted interfaces.
The burst interval is 1 second.
ARP ACLs for non-DHCP environments No ARP ACLs are defined.
Validation checks No checks are performed.
Log buffer When DAI is enabled, all denied or dropped ARP
packets are logged.
The number of entries in the log is 32.
The number of system messages is limited to 5 per
second.
The logging-rate interval is 1 second.
Per-VLAN logging All denied or dropped ARP packets are logged.

DAI Configuration Guidelines and Restrictions


When configuring DAI, follow these guidelines and restrictions:
• DAI is an ingress security feature; it does not perform any egress checking.
• DAI is not effective for hosts connected to switches that do not support DAI or that do not have this
feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast
domain, separate the domain with DAI checks from the one with no checking. This action secures
the ARP caches of hosts in the domain enabled for DAI.
• DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address
bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to
permit ARP packets that have dynamically assigned IP addresses. For configuration information, see
Chapter 37, “Configuring DHCP Snooping.”

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-5
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

• When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to
deny packets.
• DAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.
• A physical port can join an EtherChannel port channel only when the trust state of the physical port
and the channel port match. Otherwise, the physical port remains suspended in the port channel. A
port channel inherits its trust state from the first physical port that joins the channel. Consequently,
the trust state of the first physical port need not match the trust state of the channel.
Conversely, when you change the trust state on the port channel, the switch configures a new trust
state on all the physical ports that comprise the channel.
• The operating rate for the port channel is cumulative across all the physical ports within the channel.
For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces
combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on
EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel
members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming
ARP packets on the channel-port members.
The rate of incoming packets on a physical port is checked against the port-channel configuration
rather than the physical-ports configuration. The rate-limit configuration on a port channel is
independent of the configuration on its physical ports.
If the EtherChannel receives more ARP packets than the configured rate, the channel (including all
physical ports) is placed in the error-disabled state.
• Make sure to limit the rate of ARP packets on incoming trunk ports. Configure trunk ports with
higher rates to reflect their aggregation and to handle packets across multiple DAI-enabled VLANs.
You also can use the ip arp inspection limit none interface configuration command to make the rate
unlimited. A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs
when the software places the port in the error-disabled state.

Configuring DAI
These sections describe how to configure DAI:
• Enabling DAI on VLANs, page 38-7
• Configuring the DAI Interface Trust State, page 38-7
• Applying ARP ACLs for DAI Filtering, page 38-8
• Configuring ARP Packet Rate Limiting, page 38-9
• Enabling DAI Error-Disabled Recovery, page 38-10
• Enabling Additional Validation, page 38-11
• Configuring DAI Logging, page 38-12
• Displaying DAI Information, page 38-15

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-6 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

Enabling DAI on VLANs


To enable DAI on VLANs, perform this task:

Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# ip arp inspection vlan {vlan_ID | Enables DAI on VLANs (disabled by default).
vlan_range}
Router(config)# no ip arp inspection vlan Disables DAI on VLANs.
{vlan_ID | vlan_range}
Step 3 Router(config-if)# do show ip arp inspection vlan Verifies the configuration.
{vlan_ID | vlan_range} | begin Vlan

You can enable DAI on a single VLAN or a range of VLANs:


• To enable a single VLAN, enter a single VLAN number.
• To enable a range of VLANs, enter a dash-separated pair of VLAN numbers.
• You can enter a comma-separated list of VLAN numbers and dash-separated pairs of VLAN
numbers.
This example shows how to enable DAI on VLANs 10 through 12:
Router# configure terminal
Router(config)# ip arp inspection vlan 10-12

This example shows another way to enable DAI on VLANs 10 through 12:
Router# configure terminal
Router(config)# ip arp inspection vlan 10,11,12

This example shows how to enable DAI on VLANs 10 through 12 and VLAN 15:
Router# configure terminal
Router(config)# ip arp inspection vlan 10-12,15

This example shows how to verify the configuration:


Router(config)# do show ip arp inspection vlan 10-12,15 | begin Vlan
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Inactive
11 Enabled Inactive
12 Enabled Inactive
15 Enabled Inactive

Vlan ACL Logging DHCP Logging


---- ----------- ------------
10 Deny Deny
11 Deny Deny
12 Deny Deny
15 Deny Deny

Configuring the DAI Interface Trust State


The switch forwards ARP packets that it receives on a trusted interface, but does not check them.

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-7
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

On untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the
intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before
forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in
the log buffer according to the logging configuration specified with the ip arp inspection vlan logging
global configuration command. For more information, see the “Configuring DAI Logging” section on
page 38-12.
To configure the DAI interface trust state, perform this task:

Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
1
Step 2 Router(config)# interface {type slot/port | Specifies the interface connected to another switch, and
port-channel number} enter interface configuration mode.
Step 3 Router(config-if)# ip arp inspection trust Configures the connection between switches as trusted
(default: untrusted).
Router(config)# no ip arp inspection trust Configures the connection between switches as
untrusted.
Step 4 Router(config-if)# do show ip arp inspection Verifies the DAI configuration.
interfaces
1. type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

This example shows how to configure Fast Ethernet port 5/12 as trusted:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface fastethernet 5/12
Router(config-if)# ip arp inspection trust
Router(config-if)# do show ip arp inspection interfaces | include Int|--|5/12
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa5/12 Trusted None N/A

Applying ARP ACLs for DAI Filtering

Note See the Cisco IOS Master Command List, Release 12.2SX, for information about the arp access-list
command.

To apply an ARP ACL, perform this task:

Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router# ip arp inspection filter arp_acl_name Applies the ARP ACL to a VLAN.
vlan {vlan_ID | vlan_range} [static]
Step 3 Router(config)# do show ip arp inspection vlan Verifies your entries.
{vlan_ID | vlan_range}

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-8 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

When applying ARP ACLs, note the following information:


• For vlan_range, you can specify a single VLAN or a range of VLANs:
– To specify a single VLAN, enter a single VLAN number.
– To specify a range of VLANs, enter a dash-separated pair of VLAN numbers.
– You can enter a comma-separated list of VLAN numbers and dash-separated pairs of VLAN
numbers.
• (Optional) Specify static to treat implicit denies in the ARP ACL as explicit denies and to drop
packets that do not match any previous clauses in the ACL. DHCP bindings are not used.
If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the
packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not
match any clauses in the ACL.
• ARP packets containing only IP-to-MAC address bindings are compared against the ACL. Packets
are permitted only if the access list permits them.
This example shows how to apply an ARP ACL named example_arp_acl to VLANs 10 through 12 and
VLAN 15:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection filter example_arp_acl vlan 10-12,15
Router(config)# do show ip arp inspection vlan 10-12,15 | begin Vlan
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Inactive example_arp_acl No
11 Enabled Inactive example_arp_acl No
12 Enabled Inactive example_arp_acl No
15 Enabled Inactive example_arp_acl No

Vlan ACL Logging DHCP Logging


---- ----------- ------------
10 Deny Deny
11 Deny Deny
12 Deny Deny
15 Deny Deny

Configuring ARP Packet Rate Limiting


When DAI is enabled, the switch performs ARP packet validation checks, which makes the switch
vulnerable to an ARP-packet denial-of-service attack. ARP packet rate limiting can prevent an
ARP-packet denial-of-service attack.
To configure ARP packet rate limiting on a port, perform this task:

Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# interface {type1 slot/port | Selects the interface to be configured.
port-channel number}
Step 3 Router(config-if)# ip arp inspection limit {rate (Optional) Configures ARP packet rate limiting.
pps [burst interval seconds] | none}
Router(config-if)# no ip arp inspection limit Clears the ARP packet rate-limiting configuration.
Step 4 Router(config-if)# do show ip arp inspection Verifies the configuration.
interfaces

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-9
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

1. type = ethernet, fastethernet, gigabitethernet, or tengigabitethernet

When configuring ARP packet rate limiting, note the following information:
• The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces.
• For rate pps, specify an upper limit for the number of incoming packets processed per second. The
range is 0 to 2048 pps.
• The rate none keywords specify that there is no upper limit for the rate of incoming ARP packets
that can be processed.
• (Optional) For burst interval seconds (default is 1), specify the consecutive interval, in seconds,
over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15.
• When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in
the error-disabled state. The port remains in the error-disabled state until you enable error-disabled
recovery, which allows the port to emerge from the error-disabled state after a specified timeout
period.
• Unless you configure a rate-limiting value on an interface, changing the trust state of the interface
also changes its rate-limiting value to the default value for the configured trust state. After you
configure the rate-limiting value, the interface retains the rate-limiting value even when you change
its trust state. If you enter the no ip arp inspection limit interface configuration command, the
interface reverts to its default rate-limiting value.
• For configuration guidelines about limiting the rate of incoming ARP packets on trunk ports and
EtherChannel ports, see the “DAI Configuration Guidelines and Restrictions” section on page 38-5.
This example shows how to configure ARP packet rate limiting on Fast Ethernet port 5/14:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface fastethernet 5/14
Router(config-if)# ip arp inspection limit rate 20 burst interval 2
Router(config-if)# do show ip arp inspection interfaces | include Int|--|5/14
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa5/14 Untrusted 20 2

Enabling DAI Error-Disabled Recovery


To enable DAI error disabled recovery, perform this task:

Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# errdisable recovery cause (Optional) Enables DAI error disabled recovery (disabled
arp-inspection by default).
Router(config-if)# no errdisable recovery cause Disables DAI error disabled recovery.
arp-inspection
Step 3 Router(config)# do show errdisable recovery | Verifies the configuration.
include Reason|---|arp-

This example shows how to enable DAI error disabled recovery:


Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-10 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

Router(config)# errdisable recovery cause arp-inspection


Router(config)# do show errdisable recovery | include Reason|---|arp-
ErrDisable Reason Timer Status
----------------- --------------
arp-inspection Enabled

Enabling Additional Validation


DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can
enable additional validation on the destination MAC address, the sender and target IP addresses, and the
source MAC address.
To enable additional validation, perform this task:

Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# ip arp inspection validate (Optional) Enables additional validation (default is
{[dst-mac] [ip] [src-mac]} none).
Router(config)# no ip arp inspection validate Disables additional validation.
{[dst-mac] [ip] [src-mac]}
Step 3 Router(config)# do show ip arp inspection | Verifies the configuration.
include abled$

When enabling additional validation, note the following information:


• You must specify at least one of the keywords.
• Each ip arp inspection validate command overrides the configuration from any previous
commands. If an ip arp inspection validate command enables src and dst mac validations, and a
second ip arp inspection validate command enables IP validation only, the src and dst mac
validations are disabled as a result of the second command.
• These are the additional validations:
– dst-mac—Checks the destination MAC address in the Ethernet header against the target MAC
address in ARP body. This check is performed for ARP responses. When enabled, packets with
different MAC addresses are classified as invalid and are dropped.
– ip—Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0,
255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP
requests and responses, and target IP addresses are checked only in ARP responses.
– src-mac—Checks the source MAC address in the Ethernet header against the sender MAC
address in the ARP body. This check is performed on both ARP requests and responses. When
enabled, packets with different MAC addresses are classified as invalid and are dropped.
This example shows how to enable src-mac additional validation:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection validate src-mac
Router(config)# do show ip arp inspection | include abled$
Source Mac Validation : Enabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-11
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

This example shows how to enable dst-mac additional validation:


Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection validate dst-mac
Router(config)# do show ip arp inspection | include abled$
Source Mac Validation : Disabled
Destination Mac Validation : Enabled
IP Address Validation : Disabled

This example shows how to enable ip additional validation:


Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection validate ip
Router(config)# do show ip arp inspection | include abled$
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Enabled

This example shows how to enable src-mac and dst-mac additional validation:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection validate src-mac dst-mac
Router(config)# do show ip arp inspection | include abled$
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Disabled

This example shows how to enable src-mac, dst-mac, and ip additional validation:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection validate src-mac dst-mac ip
Router(config)# do show ip arp inspection | include abled$
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Enabled

Configuring DAI Logging


These sections describe DAI logging:
• DAI Logging Overview, page 38-12
• Configuring the DAI Logging Buffer Size, page 38-13
• Configuring the DAI Logging System Messages, page 38-13
• Configuring DAI Log Filtering, page 38-14

DAI Logging Overview


When DAI drops a packet, it places an entry in the log buffer and then generates system messages on a
rate-controlled basis. After the message is generated, DAI clears the entry from the log buffer. Each log
entry contains flow information, such as the receiving VLAN, the port number, the source and
destination IP addresses, and the source and destination MAC addresses.
A log-buffer entry can represent more than one packet. For example, if an interface receives many
packets on the same VLAN with the same ARP parameters, DAI combines the packets as one entry in
the log buffer and generates a single system message for the entry.

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-12 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for
the show ip arp inspection log privileged EXEC command is affected. Two dashes (“--”) appear instead
of data except for the packet count and the time. No other statistics are provided for the entry. If you see
this entry in the display, increase the number of entries in the log buffer or increase the logging rate.

Configuring the DAI Logging Buffer Size


To configure the DAI logging buffer size, perform this task:

Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# ip arp inspection log-buffer Configures the DAI logging buffer size (range is
entries number 0 to 1024).
Router(config)# no ip arp inspection log-buffer Reverts to the default buffer size (32).
entries
Step 3 Router(config)# do show ip arp inspection log | Verifies the configuration.
include Size

This example shows how to configure the DAI logging buffer for 64 messages:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection log-buffer entries 64
Router(config)# do show ip arp inspection log | include Size
Total Log Buffer Size : 64

Configuring the DAI Logging System Messages


To configure the DAI logging system messages, perform this task:

Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# ip arp inspection log-buffer logs Configures the DAI logging buffer.
number_of_messages interval length_in_seconds
Router(config)# no ip arp inspection log-buffer Reverts to the default system message configuration.
logs
Step 3 Router(config)# do show ip arp inspection log Verifies the configuration.

When configuring the DAI logging system messages, note the following information:
• For logs number_of_messages (default is 5), the range is 0 to 1024. A 0 value means that the entry
is placed in the log buffer, but a system message is not generated.
• For interval length_in_seconds (default is 1), the range is 0 to 86400 seconds (1 day). A 0 value
means that a system message is immediately generated (and the log buffer is always empty). An
interval setting of 0 overrides a log setting of 0.
• System messages are sent at the rate of number_of_messages per length_in_seconds.

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-13
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

This example shows how to configure DAI logging to send 12 messages every 2 seconds:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection log-buffer logs 12 interval 2
Router(config)# do show ip arp inspection log | include Syslog
Syslog rate : 12 entries per 2 seconds.

This example shows how to configure DAI logging to send 20 messages every 60 seconds.
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection log-buffer logs 20 interval 60
Router(config)# do show ip arp inspection log | include Syslog
Syslog rate : 20 entries per 60 seconds.

Configuring DAI Log Filtering


To configure DAI log filtering, perform this task:

Command Purpose
Step 1 Router# configure terminal Enters global configuration mode.
Step 2 Router(config)# ip arp inspection vlan vlan_range Configures log filtering for each VLAN.
logging {acl-match {matchlog | none} |
dhcp-bindings {all | none | permit}}
Step 3 Router(config)# do show running-config | include Verifies the configuration.
ip arp inspection vlan vlan_range

When configuring the DAI log filtering, note the following information:
• By default, all denied packets are logged.
• For vlan_range, you can specify a single VLAN or a range of VLANs:
– To specify a single VLAN, enter a single VLAN number.
– To specify a range of VLANs, enter a dash-separated pair of VLAN numbers.
– You can enter a comma-separated list of VLAN numbers and dash-separated pairs of VLAN
numbers.
• acl-match matchlog—Logs packets based on the DAI ACL configuration. If you specify the
matchlog keyword in this command and the log keyword in the permit or deny ARP access-list
configuration command, ARP packets permitted or denied by the ACL are logged.
• acl-match none—Does not log packets that match ACLs.
• dhcp-bindings all—Logs all packets that match DHCP bindings.
• dhcp-bindings none—Does not log packets that match DHCP bindings.
• dhcp-bindings permit—Logs DHCP-binding permitted packets.

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-14 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
Configuring DAI

This example shows how to configure the DAI log filtering for VLAN 100 not to log packets that match
ACLs:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ip arp inspection vlan 100 logging acl-match none
Router(config)# do show running-config | include ip arp inspection vlan 100
ip arp inspection vlan 100 logging acl-match none

Displaying DAI Information


To display DAI information, use the privileged EXEC commands described in Table 38-2.

Table 38-2 Commands for Displaying DAI Information

Command Description
show arp access-list [acl_name] Displays detailed information about ARP ACLs.
show ip arp inspection interfaces [interface_id] Displays the trust state and the rate limit of ARP
packets for the specified interface or all interfaces.
show ip arp inspection vlan vlan_range Displays the configuration and the operating state
of DAI for the specified VLAN. If no VLANs are
specified or if a range is specified, displays
information only for VLANs with DAI enabled
(active).

To clear or display DAI statistics, use the privileged EXEC commands in Table 38-3.

Table 38-3 Commands for Clearing or Displaying DAI Statistics

Command Description
clear ip arp inspection statistics Clears DAI statistics.
show ip arp inspection statistics [vlan Displays statistics for forwarded, dropped, MAC
vlan_range] validation failure, IP validation failure, ACL
permitted and denied, and DHCP permitted and
denied packets for the specified VLAN. If no
VLANs are specified or if a range is specified,
displays information only for VLANs with DAI
enabled (active).

For the show ip arp inspection statistics command, the switch increments the number of forwarded
packets for each ARP request and response packet on a trusted DAI port. The switch increments the
number of ACL-permitted or DHCP-permitted packets for each packet that is denied by source MAC,
destination MAC, or IP validation checks, and the switch increments the appropriate failure count.

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-15
Chapter 38 Configuring Dynamic ARP Inspection
DAI Configuration Samples

To clear or display DAI logging information, use the privileged EXEC commands in Table 38-4:

Table 38-4 Commands for Clearing or Displaying DAI Logging Information

Command Description
clear ip arp inspection log Clears the DAI log buffer.
show ip arp inspection log Displays the configuration and contents of the DAI log buffer.

DAI Configuration Samples


This section includes these samples:
• Sample One: Two Switches Support DAI, page 38-16
• Sample Two: One Switch Supports DAI, page 38-20

Sample One: Two Switches Support DAI


This procedure shows how to configure DAI when two switches support this feature. Host 1 is connected
to Switch A, and Host 2 is connected to Switch B as shown in Figure 38-2 on page 38-3. Both switches
are running DAI on VLAN 1 where the hosts are located. A DHCP server is connected to Switch A. Both
hosts acquire their IP addresses from the same DHCP server. Switch A has the bindings for Host 1 and
Host 2, and Switch B has the binding for Host 2. Switch A Fast Ethernet port 6/3 is connected to the
Switch B Fast Ethernet port 3/3.

Note • DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address
bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to
permit ARP packets that have dynamically assigned IP addresses. For configuration information, see
Chapter 37, “Configuring DHCP Snooping.”
• This configuration does not work if the DHCP server is moved from Switch A to a different location.
• To ensure that this configuration does not compromise security, configure Fast Ethernet port 6/3 on
Switch A and Fast Ethernet port 3/3 on Switch B as trusted.

Configuring Switch A
To enable DAI and configure Fast Ethernet port 6/3 on Switch A as trusted, follow these steps:

Step 1 Verify the connection between switches Switch A and Switch B:


SwitchA# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID


SwitchB Fas 6/3 177 R S I WS-C6506 Fas 3/3
SwitchA#

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-16 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
DAI Configuration Samples

Step 2 Enable DAI on VLAN 1 and verify the configuration:


SwitchA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)# ip arp inspection vlan 1
SwitchA(config)# end
SwitchA# show ip arp inspection vlan 1

Source Mac Validation : Disabled


Destination Mac Validation : Disabled
IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL


---- ------------- --------- --------- ----------
1 Enabled Active

Vlan ACL Logging DHCP Logging


---- ----------- ------------
1 Deny Deny
SwitchA#

Step 3 Configure Fast Ethernet port 6/3 as trusted:


SwitchA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)# interface fastethernet 6/3
SwitchA(config-if)# ip arp inspection trust
SwitchA(config-if)# end
SwitchA# show ip arp inspection interfaces fastethernet 6/3

Interface Trust State Rate (pps)


--------------- ----------- ----------
Fa6/3 Trusted None
SwitchA#

Step 4 Verify the bindings:


SwitchA# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:02:00:02:00:02 1.1.1.2 4993 dhcp-snooping 1 FastEthernet6/4
SwitchA#

Step 5 Check the statistics before and after DAI processes any packets:
SwitchA# show ip arp inspection statistics vlan 1

Vlan Forwarded Dropped DHCP Drops ACL Drops


---- --------- ------- ---------- ----------
1 0 0 0 0

Vlan DHCP Permits ACL Permits Source MAC Failures


---- ------------ ----------- -------------------
1 0 0 0

Vlan Dest MAC Failures IP Validation Failures


---- ----------------- ----------------------
1 0 0
SwitchA#

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-17
Chapter 38 Configuring Dynamic ARP Inspection
DAI Configuration Samples

If Host 1 then sends out two ARP requests with an IP address of 1.1.1.2 and a MAC address of
0002.0002.0002, both requests are permitted, as reflected in the following statistics:
SwitchA# show ip arp inspection statistics vlan 1

Vlan Forwarded Dropped DHCP Drops ACL Drops


---- --------- ------- ---------- ----------
1 2 0 0 0

Vlan DHCP Permits ACL Permits Source MAC Failures


---- ------------ ----------- -------------------
1 2 0 0

Vlan Dest MAC Failures IP Validation Failures


---- ----------------- ----------------------
1 0 0
SwitchA#

If Host 1 then tries to send an ARP request with an IP address of 1.1.1.3, the packet is dropped and an
error message is logged:
00:12:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Fa6/4, vlan
1.([0002.0002.0002/1.1.1.3/0000.0000.0000/0.0.0.0/02:42:35 UTC Tue Jul 10 2001])
SwitchA# show ip arp inspection statistics vlan 1
SwitchA#

The statistics will display as follows:


Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ----------
1 2 2 2 0

Vlan DHCP Permits ACL Permits Source MAC Failures


---- ------------ ----------- -------------------
1 2 0 0

Vlan Dest MAC Failures IP Validation Failures


---- ----------------- ----------------------
1 0 0
SwitchA#

Configuring Switch B
To enable DAI and configure Fast Ethernet port 3/3 on Switch B as trusted, follow these steps:

Step 1 Verify the connectivity:


SwitchA# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID


SwitchB Fas 3/3 120 R S I WS-C6506 Fas 6/3
SwitchB#

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-18 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
DAI Configuration Samples

Step 2 Enable DAI on VLAN 1, and verify the configuration:


SwitchB# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB(config)# ip arp inspection vlan 1
SwitchB(config)# end
SwitchB# show ip arp inspection vlan 1

Source Mac Validation : Disabled


Destination Mac Validation : Disabled
IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL


---- ------------- --------- --------- ----------
1 Enabled Active

Vlan ACL Logging DHCP Logging


---- ----------- ------------
1 Deny Deny
SwitchB#

Step 3 Configure Fast Ethernet port 3/3 as trusted:


SwitchB# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB(config)# interface fastethernet 3/3
SwitchB(config-if)# ip arp inspection trust
SwitchB(config-if)# end
SwitchB# show ip arp inspection interfaces

Interface Trust State Rate (pps)


--------------- ----------- ----------
Gi1/1 Untrusted 15
Gi1/2 Untrusted 15
Gi3/1 Untrusted 15
Gi3/2 Untrusted 15
Fa3/3 Trusted None
Fa3/4 Untrusted 15
Fa3/5 Untrusted 15
Fa3/6 Untrusted 15
Fa3/7 Untrusted 15

<output truncated>
SwitchB#

Step 4 Verify the list of DHCP snooping bindings:


SwitchB# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:01:00:01:00:01 1.1.1.1 4995 dhcp-snooping 1 FastEthernet3/4
SwitchB#

Step 5 Check the statistics before and after DAI processes any packets:
SwitchB# show ip arp inspection statistics vlan 1

Vlan Forwarded Dropped DHCP Drops ACL Drops


---- --------- ------- ---------- ----------
1 0 0 0 0

Vlan DHCP Permits ACL Permits Source MAC Failures


---- ------------ ----------- -------------------
1 0 0 0

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-19
Chapter 38 Configuring Dynamic ARP Inspection
DAI Configuration Samples

Vlan Dest MAC Failures IP Validation Failures


---- ----------------- ----------------------
1 0 0
SwitchB#

If Host 2 then sends out an ARP request with the IP address 1.1.1.1 and the MAC address
0001.0001.0001, the packet is forwarded and the statistics are updated appropriately:
SwitchB# show ip arp inspection statistics vlan 1

Vlan Forwarded Dropped DHCP Drops ACL Drops


---- --------- ------- ---------- ----------
1 1 0 0 0

Vlan DHCP Permits ACL Permits Source MAC Failures


---- ------------ ----------- -------------------
1 1 0 0

Vlan Dest MAC Failures IP Validation Failures


---- ----------------- ----------------------
1 0 0
SwitchB#

If Host 2 attempts to send an ARP request with the IP address 1.1.1.2, DAI drops the request and logs a
system message:
00:18:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa3/4, vlan
1.([0001.0001.0001/1.1.1.2/0000.0000.0000/0.0.0.0/01:53:21 UTC Fri May 23 2003])
SwitchB#

The statistics display as follows:


SwitchB# show ip arp inspection statistics vlan 1

Vlan Forwarded Dropped DHCP Drops ACL Drops


---- --------- ------- ---------- ----------
1 1 1 1 0

Vlan DHCP Permits ACL Permits Source MAC Failures


---- ------------ ----------- -------------------
1 1 0 0

Vlan Dest MAC Failures IP Validation Failures


---- ----------------- ----------------------
1 0 0
SwitchB#

Sample Two: One Switch Supports DAI


This procedure shows how to configure DAI when Switch B shown in Figure 38-2 on page 38-3 does not
support DAI or DHCP snooping.
If switch Switch B does not support DAI or DHCP snooping, configuring Fast Ethernet port 6/3 on
Switch A as trusted creates a security hole because both Switch A and Host 1 could be attacked by either
Switch B or Host 2.

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-20 OL-3999-08
Chapter 38 Configuring Dynamic ARP Inspection
DAI Configuration Samples

To prevent this possibility, you must configure Fast Ethernet port 6/3 on Switch A as untrusted. To permit
ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1. If the IP address of
Host 2 is not static, which would make it impossible to apply the ACL configuration on Switch A, you
must separate Switch A from Switch B at Layer 3 and use a router to route packets between them.
To set up an ARP ACL on switch Switch A, follow these steps:

Step 1 Configure the access list to permit the IP address 1.1.1.1 and the MAC address 0001.0001.0001, and
verify the configuration:
SwitchA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)# arp access-list H2
SwitchA(config-arp-nacl)# permit ip host 1.1.1.1 mac host 1.1.1
SwitchA(config-arp-nacl)# end
SwitchA# show arp access-list
ARP access list H2
permit ip host 1.1.1.1 mac host 0001.0001.0001

Step 2 Apply the ACL to VLAN 1, and verify the configuration:


SwitchA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)# ip arp inspection filter H2 vlan 1
SwitchA(config)# end
SwitchA#

SwitchA# show ip arp inspection vlan 1

Source Mac Validation : Disabled


Destination Mac Validation : Disabled
IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL


---- ------------- --------- --------- ----------
1 Enabled Active H2 No

Vlan ACL Logging DHCP Logging


---- ----------- ------------
1 Deny Deny
SwitchA#

Step 3 Configure Fast Ethernet port 6/3 as untrusted, and verify the configuration:
SwitchA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)# interface fastethernet 6/3
SwitchA(config-if)# no ip arp inspection trust
SwitchA(config-if)# end
Switch# show ip arp inspection interfaces fastethernet 6/3

Interface Trust State Rate (pps)


--------------- ----------- ----------
Fa6/3 Untrusted 15

Switch#

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
OL-3999-08 38-21
Chapter 38 Configuring Dynamic ARP Inspection
DAI Configuration Samples

When Host 2 sends 5 ARP requests through Fast Ethernet port 6/3 on Switch A and a “get” is permitted
by Switch A, the statistics are updated appropriately:
Switch# show ip arp inspection statistics vlan 1
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ----------
1 5 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
1 0 5 0
Vlan Dest MAC Failures IP Validation Failures
---- ----------------- ----------------------
1 0 0
Switch#

Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide, Release 12.2SXF
38-22 OL-3999-08

You might also like