Preventing ARP Attacks Using Dynamic ARP Inspection

Expand all



Contents

Preventing ARP Attacks Using Dynamic ARP Inspection

Last updated: January 15, 2015

Diagram

Task

  • Configure SW1 to protect VLAN 23 from ARP poisoning attacks.
  • Ensure that IP connectivity inside VLAN 23 is maintained between R2 and R3.
  • Based on your configuration, ensure that all possible logging is enabled, but store no more than 10 log entries in the buffer.
  • Configure SW1 to perform all sanity checks for ARP packets.

About Initial Configuration Files: For this task, you must load the initial configuration files for the section, which can be found in the Section 2 Introduction task or by clicking the Resources button.

If you have completed previous tasks in this section, the simplest way to revert back to initial configurations is by using the command configure replace nvram:startup-config instead of reloading the devices. This command, however, is not supported by the ASA.

Overview

Dynamic ARP Inspection (DAI) is a security feature that fixes some well-known weaknesses in the ARP protocol. Generally, ARP operation on an Ethernet segment allows any host to spoof a MAC address for any IP address on the segment. These attacks, commonly known as Man-in-the-Middle (MITM) attacks, cannot be prevented by using only port-security, access-lists, or other well-known security features. DAI is used to prevent ARP poisoning attacks:

  • It is enabled per VLAN using the global command ip arp inspection vlan <vlan-id>.
  • By default, all ports are untrusted; to configure a port as trusted, use the interface-level command ip arp inspection trust.
  • DAI only inspects ARP packets from untrusted ports.
  • ARP packets are validated against the DHCP Snooping database information or against statically configured ARP entries from ARP access-lists.

When the switch receives an ARP packet on an untrusted port, it compares the IP-to-MAC address binding with entries from the DHCP Snooping database or ARP access-lists. If there is no match, the ARP packet is dropped. Note that implementing DAI may break some services, such as Proxy ARP. To resolve these issues, ARP inspection allows you to configure some ports as trusted, because all ARP messages from trusted ports bypass the ARP inspection engine. Most of the time, for example, access layer switch uplinks toward the distribution or core layer are configured as trusted.

By default, DAI inspects all ARP packets from untrusted ports to ensure valid IP-to-MAC address table bindings, but additional inspections can be enabled:

  • It can check that target MAC addresses inside the ARP packet payload match the destination MAC address in Ethernet frames for ARP responses. It can be enabled with the global command ip arp inspection validate dst-mac.
  • It can check that sender MAC addresses inside the ARP packet payload match the source MAC address in Ethernet frames for ARP requests and responses. It can be enabled with the global command ip arp inspection validate src-mac.
  • It can check the ARP packet payload for invalid or unexpected IP addresses, ensuring that no host tries to bind MAC addresses to IP addresses, such as 0.0.0.0, 255.255.255.255, or multicast addresses. It can be enabled with the global command ip arp inspection validate ip.

DAI validates ARP packets against the DHCP Snooping database. If any hosts on the segment are not using DHCP for address allocation, DHCP is not used, or DHCP Snooping is not enabled, you must configure ARP access-lists to allow ARP traffic:

  • The access-list is created using the global command arp access-list <acl-name>.
  • Access-list entries are configured using the command permit ip host <sender-IP-address> mac host <sender-MAC-address> [log].
  • The access-list is applied per VLAN using the command ip arp inspection filter <acl-name> vlan <vlan-id> [static].

DAI first checks the ARP access-list to determine whether an ARP packet is legitimate; if there are no matches on permit entries for the given IP and MAC address pair and there is no explicit deny ip any mac any statement at the end of the access-list, DAI also checks the DHCP Snooping database. If there are no matches, the ARP packet is dropped. However, if there is an explicit deny statement at the end of the access-list or the access-list has been configured with the static keyword, ARP inspection does not consult the DHCP Snooping database.

DAI also allows for ARP message rate-limiting. This is enabled by default on untrusted ports with a maximum of 15 pps, and disabled on trusted ports. Using the interface-level command ip arp inspection limit rate {<pps> [burst interval <seconds>]}, you can modify the default thresholds. When the port exceeds the configured rate, it will go into error-disabled state. The feature limits the aggregate rate on trunks or EtherChannels, so you may need to adjust it for real-world situations.

From the logging perspective, DAI is very granular, with multiple options available:

  • You may specify the log keyword for entries in the ARP access-list, but logs are not generated by default unless you enable it with the global command ip arp inspection vlan <vlan-id> logging acl-match matchlog.
  • You may enable logging when entries in the DHCP Snooping database are matched by using the global command ip arp inspection vlan <vlan-id> logging dhcp-bindings {all|permit}.
  • You may enable logging for suspect ARP packets (such as those having a source IP of 0.0.0.0) with the global command ip arp inspection vlan <vlan-id> logging arp-probe.
  • The switch accumulates all DAI-related logging in a dedicated internal buffer, and its size can be modified by using the global command ip arp inspection log-buffer entries <number>.

Configuration

Note that the MAC addresses of R2 and R3 will be different than those used below, based on your rack number.

SW1:
arp access-list DAI_VLAN23
 permit ip host 136.1.23.2 mac host d867.d9e0.bbc0 log
 permit ip host 136.1.23.3 mac host 001e.f779.4771 log
!
ip arp inspection filter DAI_VLAN23 vlan 23
!
ip arp inspection vlan 23
ip arp inspection vlan 23 logging acl-match matchlog
ip arp inspection vlan 23 logging dhcp-bindings all
ip arp inspection vlan 23 logging arp-probe
ip arp inspection log-buffer entries 10
ip arp inspection validate src-mac dst-mac ip

Verification

Verify DAI configuration:

SW1#show ip arp inspection vlan 23

Source Mac Validation      : Enabled
Destination Mac Validation : Enabled
IP Address Validation      : Enabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   23     Enabled          Active      DAI_VLAN23         No 

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   23     Acl-Match        All               Permit  
!
!
SW1#show ip arp inspection log
Total Log Buffer Size : 10
Syslog rate : 5 entries per 1 seconds.

No entries in log buffer.
!
!
SW1#show ip arp inspection interfaces fastEthernet1/0/2

 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Fa1/0/2            Untrusted               15                 1
!
!
SW1#show ip arp inspection interfaces fastEthernet1/0/20

 Interface        Trust State     Rate (pps)    Burst Interval
 ---------------  -----------     ----------    --------------
 Fa1/0/20           Untrusted               15                 1
^ back to top