Using Dynamic ARP Inspection

The DHCP snooping feature dynamically builds a DHCP binding table, which contains the MAC addresses associated with specific IP addresses. Additionally, this feature supports static MAC address to IP address mappings, which might be appropriate for network devices, such as routers. This DHCP binding table can be used by the Dynamic ARP Inspection (DAI) feature to help prevent Address Resolution Protocol (ARP) spoofing attacks.

Recall the purpose of ARP requests. When a network device needs to determine the MAC address that corresponds to an IP address, the device can send an ARP request. The target device replies to the requesting device with an ARP reply. The ARP reply contains the requested MAC address.

Attackers can attempt to launch an attack by sending gratuitous ARP (GARP) replies. These GARP messages can tell network devices that the attacker’s MAC address corresponds to specific IP addresses. For example, the attacker might be able to convince a PC that the attacker’s MAC address is the MAC address of the PC’s default gateway. As a result, the PC starts sending traffic to the attacker. The attacker captures the traffic and then forwards the traffic to the appropriate default gateway.

To illustrate, consider Figure Below. PC1 is configured with a default gateway of 192.168.0.1. However, the attacker sends GARP messages to PC1, telling PC1 that the MAC address corresponding to 192.168.0.1 is BBBB.BBBB.BBBB, which is the attacker’s MAC address. Similarly, the attacker sends GARP messages to the default gateway, claiming that the MAC address corresponding to PC1’s IP address of 192.168.0.2 is BBBB.BBBB.BBBB. This ARP cache poisoning causes PC1 and Router1 to exchange traffic via the attacker’s PC. Therefore, this type of ARP spoofing attack is considered to be a man-in-the-middle attack.

Networks can be protected from ARP spoofing attacks using the DAI feature. DAI works similarly to DHCP snooping by using trusted and untrusted ports. ARP replies are allowed into the switch on trusted ports. However, if an ARP reply enters the switch on an untrusted port, the contents of the ARP reply are compared to the DHCP binding table to verify its accuracy. If the ARP reply is inconsistent with the DHCP binding table, the ARP reply is dropped, and the port is disabled.

The first step in configuring DAI is to enable DAI for one or more VLANs. For example, to enable DAI for VLAN 100, enter the following global configuration mode command:

SW3550(config)# ip arp inspection vlan 100

By default, the DAI feature considers all switch ports to be untrusted ports. Therefore, trusted ports must be explicitly configured. These trusted ports are the ports on which ARP replies are expected. For example, to configure port Gigabit 0/6 to be a DAI trusted port, use the following syntax:

SW3550(config)# interface gigabitethernet 0/6
SW3550(config-if)# ip arp inspection trust



See Also:

[*] ARP Attack Examples

[*] DHCP Snooping





biOos