Catalyst 4500 Series Switch Cisco IOS Release XE 3.5.0E and 15.2.1
Configuring Dynamic ARP Inspection
Downloads: This chapterpdf (PDF - 214.0KB) The complete bookPDF (PDF - 18.13MB) | Feedback

Table of Contents

Configuring Dynamic ARP Inspection

About Dynamic ARP Inspection

ARP Cache Poisoning

Purpose of Dynamic ARP Inspection

Interface Trust State, Security Coverage and Network Configuration

Relative Priority of Static Bindings and DHCP Snooping Entries

Logging of Dropped Packets

Rate Limiting of ARP Packets

Port Channels Function

Configuring Dynamic ARP Inspection

Configuring Dynamic ARP Inspection in DHCP Environments

DAI Configuration Example

Switch A

Switch B

Configuring ARP ACLs for Non-DHCP Environments

Configuring the Log Buffer

Limiting the Rate of Incoming ARP Packets

Performing Validation Checks

Configuring Dynamic ARP Inspection

This chapter describes how to configure Dynamic ARP Inspection (DAI) on the Catalyst 4500 series switch.

This chapter includes the following major sections:


Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html

If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the Cisco IOS library. See the Cisco IOS Command Reference and related publications at this location:

http://www.cisco.com/en/US/products/ps6350/index.html


About Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature that validates Address Resolution Protocol (ARP) packets in a network. DAI allows a network administrator to intercept, log, and discard ARP packets with invalid MAC-IP pairs. This capability protects the network from certain “man-in-the-middle” attacks.

This section contains the following subsections:

ARP Cache Poisoning

You can attack hosts, switches, and routers connected to your Layer 2 network by “poisoning” their ARP caches. For example, a malicious user might intercept traffic intended for other hosts on the subnet by poisoning the ARP caches of systems connected to the subnet.

Figure 51-1 shows an example of cache poisoning.

Figure 51-1 ARP Cache Poisoning

 

Hosts HA, HB, and HC are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host HA uses IP address IA and MAC address MA. When HA needs to communicate to HB at the IP Layer, HA broadcasts an ARP request for the MAC address associated with IB. As soon as HB receives the ARP request, the ARP cache on HB is populated with an ARP binding for a host with the IP address IA and a MAC address MA. When HB responds to HA, the ARP cache on HA is populated with a binding for a host with the IP address IB and a MAC address MB.

Host HC can “poison” the ARP caches of HA and HB by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This means that HC intercepts that traffic. Because HC knows the true MAC addresses associated with IA and IB, HC can forward the intercepted traffic to those hosts using the correct MAC address as the destination. HC has inserted itself into the traffic stream from HA to HB, the classic “man in the middle” attack.

Purpose of Dynamic ARP Inspection

To prevent ARP poisoning attacks, a switch must ensure that only valid ARP requests and responses are relayed. DAI prevents these attacks by intercepting all ARP requests and responses. Each of these intercepted packets is verified for valid MAC address to IP address bindings before the local ARP cache is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped.

DAI determines the validity of an ARP packet based on valid MAC address to IP address bindings stored in a trusted database. This database is built at runtime by DHCP snooping, provided this feature is enabled on VLANs and on the switch. In addition, in order to handle hosts that use statically configured IP addresses, DAI can also validate ARP packets against user-configured ARP ACLs.

DAI can also be configured to drop ARP packets when the IP addresses in the packet are invalid or when the MAC addresses in the body of the ARP packet do not match the addresses specified in the Ethernet header.

Interface Trust State, Security Coverage and Network Configuration

DAI associates a trust state with each interface on the system. Packets arriving on trusted interfaces bypass all DAI validation checks, while those arriving on untrusted interfaces go using the DAI validation process. In a typical network configuration for DAI, all ports connected to host ports are configured as untrusted, while all ports connected to switches are configured as trusted. With this configuration, all ARP packets entering the network from a given switch pass the security check.

Figure 51-2 Validation of ARP Packets on a DAI-Enabled VLAN

 

Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity. If we assume that both S1 and S2 (in Validation of ARP Packets on a DAI-Enabled VLAN) run DAI on the VLAN ports that contains H1 and H2, and if H1 and H2 were to acquire their IP addresses from the DHCP server connected to S1, then only S1 binds the IP to MAC address of H1. If the interface between S1 and S2 is untrusted, the ARP packets from H1 get dropped on S2. This condition would result in a loss of connectivity between H1 and H2.

Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If S1 were not running DAI, then H1 can easily poison the ARP of S2 (and H2, if the inter- switch link is configured as trusted). This condition can occur even though S2 is running DAI.

DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the ARP caches of other hosts in the network. It does not, however, ensure that hosts from other portions of the network do not poison the caches of the hosts connected to it.

To handle cases in which some switches in a VLAN run DAI and other switches do not, the interfaces connecting such switches should be configured as untrusted. To validate the bindings of packets from non-DAI switches, however, the switch running DAI should be configured with ARP ACLs. When it is not feasible to determine such bindings, switches running DAI should be isolated from non-DAI switches at Layer 3.


Note Depending on the set up of the DHCP server and the network, it may not be possible to perform validation of a given ARP packet on all switches in the VLAN.


Relative Priority of Static Bindings and DHCP Snooping Entries

As mentioned previously, DAI populates its database of valid MAC address to IP address bindings through DHCP snooping. It also validates ARP packets against statically configured ARP ACLs. It is important to note that ARP ACLs have precedence over entries in the DHCP snooping database. ARP packets are first compared to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, then the packet is denied even if a valid binding exists in the database populated by DHCP snooping.

Logging of Dropped Packets

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration command. For configuration information, see the “Configuring the Log Buffer” section.

Rate Limiting of ARP Packets

DAI performs validation checks in the CPU, so the number of incoming ARP packets is rate-limited to prevent a denial of service attack. By default, the rate for untrusted interfaces is set to 15 pps second but trusted interfaces have no rate limit. When the rate of incoming ARP packets exceeds the configured limit, the port is placed in the error-disable state. The port remains in that state until an administrator intervenes. With the errdisable recovery global configuration command, you can enable error-disable recovery so that ports emerge from this state automatically after a specified timeout period.

You use the ip arp inspection limit global configuration command to limit the rate of incoming ARP requests and responses on the interface. Unless a rate limit is explicitly configured on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state; that is, 15 packets per second for untrusted interfaces and unlimited for trusted interfaces. Once a rate limit is configured explicitly, the interface retains the rate limit even when its trust state is changed. At any time, the interface reverts to its default rate limit if the no form of the rate limit command is applied. For configuration information, see the “Limiting the Rate of Incoming ARP Packets” section.


Note When you enable DAI, all ARP packets are forwarded by CPU (software forwarding, the slow path). With this mechanism, whenever a packet exits through multiple ports, the CPU must create as many copies of the packet as there are egress ports. The number of egress ports is a multiplying factor for the CPU. When QoS policing is applied on egress packets that were forwarded by CPU, QoS must be applied in the CPU as well. (You cannot apply QoS in hardware on CPU generated packets because the hardware forwarding path is turned off for CPU generated packets.) Both factors can drive the CPU to a very high utilization level.


Port Channels Function

A given physical port can join a channel only when the trust state of the physical port and of the channel match. Otherwise, the physical port remains suspended in the channel. A channel inherits its trust state from the first physical port that joined the channel. Consequently, the trust state of the first physical port need not match the trust state of the channel.

Conversely, when the trust state is changed on the channel, the new trust state is configured on all the physical ports that comprise the channel.

The rate limit check on port channels is unique. The rate of incoming packets on a physical port is checked against the port channel configuration rather than the physical ports’ configuration.

The rate limit configuration on a port channel is independent of the configuration on its physical ports.

The rate limit is cumulative across all physical ports; that is, the rate of incoming packets on a port channel equals the sum of rates across all physical ports.

When you configure rate limits for ARP packets on trunks, you must account for VLAN aggregation because a high rate limit on one VLAN can cause a denial of service attack to other VLANs when the port is error-disabled by software. Similarly, when a port channel is error-disabled, a high rate limit on one physical port can cause other ports in the channel to go down.

Configuring Dynamic ARP Inspection

These sections describe how to configure DAI on your switch:

Configuring Dynamic ARP Inspection in DHCP Environments

This procedure shows how to configure dynamic ARP inspection when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in ARP Packet Validation on a VLAN Enabled for DAI. Both switches are running DAI on VLAN 100 where the hosts are located. A DHCP server is connected to Switch A. Both hosts acquire their IP addresses from the same DHCP server. Switch A has the bindings for Host 1, and Switch B has the bindings for Host 2.

Figure 51-3 ARP Packet Validation on a VLAN Enabled for DAI

 


Note DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For configuration information, see Chapter52, “Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts”


For information on how to configure DAI when only one switch supports the feature, see the “Configuring ARP ACLs for Non-DHCP Environments” section.

To configure DAI, perform this task on both switches:

 

Command
Purpose

Step 1

Switch# show cdp neighbors

Verifies the connection between the switches.

Step 2

Switch# configure terminal

Enters global configuration mode.

Step 3

Switch(config)# [no] ip arp inspection vlan vlan-range

Enables DAI on a per-VLAN basis. By default, DAI is disabled on all VLANs.

To disable DAI, use the no ip arp inspection vlan vlan-range global configuration command.

For vlan-range , specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.

Specify the same VLAN ID for both switches.

Step 4

Switch(config)# interface interface-id

Specifies the interface connected to the other switch, and enter interface configuration mode.

Step 5

Switch(config-if)# ip arp inspection trust

Configures the connection between the switches as trusted.

To return the interfaces to an untrusted state, use the
no ip arp inspection trust interface configuration command.

By default, all interfaces are untrusted.

The switch does not check ARP packets that it receives from the other switch on the trusted interface. It forwards the packets.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the
ip arp inspection vlan logging global configuration command . For more information, see the “Configuring the Log Buffer” section.

Step 6

Switch(config-if)# end

Returns to privileged EXEC mode.

Step 7

Switch# show ip arp inspection interfaces
Switch# show ip arp inspection vlan vlan-range

Verifies the DAI configuration.

Step 8

Switch# show ip dhcp snooping binding

Verifies the DHCP bindings.

Step 9

Switch# show ip arp inspection statistics vlan vlan-range

Checks the DAI statistics.

Step 10

Switch# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

DAI Configuration Example

This example shows how to configure DAI on Switch A in VLAN 100. You would perform a similar procedure on Switch B.

Switch A

SwitchA# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
 
Device ID Local Intrfce Holdtme Capability Platform Port ID
SwitchB Gig 3/48 179 R S I WS-C4506 Gig 3/46
SwitchA# configure terminal
SwitchA(config)# ip arp inspection vlan 100
SwitchA(config)# interface g3/48
SwitchA(config-if)# ip arp inspection trust
SwitchA(config-if)# end
SwitchA# show ip arp inspection interfaces
 
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi1/1 Untrusted 15 1
Gi1/2 Untrusted 15 1
Gi3/1 Untrusted 15 1
Gi3/2 Untrusted 15 1
Gi3/3 Untrusted 15 1
Gi3/4 Untrusted 15 1
Gi3/5 Untrusted 15 1
Gi3/6 Untrusted 15 1
Gi3/7 Untrusted 15 1
Gi3/8 Untrusted 15 1
Gi3/9 Untrusted 15 1
Gi3/10 Untrusted 15 1
Gi3/11 Untrusted 15 1
Gi3/12 Untrusted 15 1
Gi3/13 Untrusted 15 1
Gi3/14 Untrusted 15 1
Gi3/15 Untrusted 15 1
Gi3/16 Untrusted 15 1
Gi3/17 Untrusted 15 1
Gi3/18 Untrusted 15 1
Gi3/19 Untrusted 15 1
Gi3/20 Untrusted 15 1
Gi3/21 Untrusted 15 1
Gi3/22 Untrusted 15 1
Gi3/23 Untrusted 15 1
Gi3/24 Untrusted 15 1
Gi3/25 Untrusted 15 1
Gi3/26 Untrusted 15 1
Gi3/27 Untrusted 15 1
Gi3/28 Untrusted 15 1
Gi3/29 Untrusted 15 1
Gi3/30 Untrusted 15 1
Gi3/31 Untrusted 15 1
Gi3/32 Untrusted 15 1
Gi3/33 Untrusted 15 1
Gi3/34 Untrusted 15 1
Gi3/35 Untrusted 15 1
Gi3/36 Untrusted 15 1
Gi3/37 Untrusted 15 1
Gi3/38 Untrusted 15 1
Gi3/39 Untrusted 15 1
Gi3/40 Untrusted 15 1
Gi3/41 Untrusted 15 1
Gi3/42 Untrusted 15 1
Gi3/43 Untrusted 15 1
Gi3/44 Untrusted 15 1
Gi3/45 Untrusted 15 1
Gi3/46 Untrusted 15 1
Gi3/47 Untrusted 15 1
Gi3/48 Trusted None N/A
 
SwitchA# show ip arp inspection vlan 100
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
 
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
100 Enabled Active
 
Vlan ACL Logging DHCP Logging
---- ----------- ------------
100 Deny Deny
 
SwitchA# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:01:00:01:00:01 170.1.1.1 3597 dhcp-snooping 100 GigabitEthernet3/27
Total number of bindings: 1
 
SwitchA# show ip arp inspection statistics vlan 100
 
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
100 15 0 0 0
 
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
100 0 0 0
 
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
100 0 0 0
SwitchA#

Switch B

SwitchB# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone
 
Device ID Local Intrfce Holdtme Capability Platform Port ID
SwitchA Gig 3/46 163 R S I WS-C4507R Gig 3/48
SwitchB#
SwitchB# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB(config)# ip arp inspection vlan 100
SwitchB(config)# interface g3/46
SwitchB(config-if)# ip arp inspection trust
SwitchB(config-if)# end
SwitchB#
SwitchB# show ip arp inspection interfaces
 
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi1/1 Untrusted 15 1
Gi1/2 Untrusted 15 1
Gi3/1 Untrusted 15 1
Gi3/2 Untrusted 15 1
Gi3/3 Untrusted 15 1
Gi3/4 Untrusted 15 1
Gi3/5 Untrusted 15 1
Gi3/6 Untrusted 15 1
Gi3/7 Untrusted 15 1
Gi3/8 Untrusted 15 1
Gi3/9 Untrusted 15 1
Gi3/10 Untrusted 15 1
Gi3/11 Untrusted 15 1
Gi3/12 Untrusted 15 1
Gi3/13 Untrusted 15 1
Gi3/14 Untrusted 15 1
Gi3/15 Untrusted 15 1
Gi3/16 Untrusted 15 1
Gi3/17 Untrusted 15 1
Gi3/18 Untrusted 15 1
Gi3/19 Untrusted 15 1
Gi3/20 Untrusted 15 1
Gi3/21 Untrusted 15 1
Gi3/22 Untrusted 15 1
Gi3/23 Untrusted 15 1
Gi3/24 Untrusted 15 1
Gi3/25 Untrusted 15 1
Gi3/26 Untrusted 15 1
Gi3/27 Untrusted 15 1
Gi3/28 Untrusted 15 1
Gi3/29 Untrusted 15 1
Gi3/30 Untrusted 15 1
Gi3/31 Untrusted 15 1
Gi3/32 Untrusted 15 1
Gi3/33 Untrusted 15 1
Gi3/34 Untrusted 15 1
Gi3/35 Untrusted 15 1
Gi3/36 Untrusted 15 1
Gi3/37 Untrusted 15 1
Gi3/38 Untrusted 15 1
Gi3/39 Untrusted 15 1
Gi3/40 Untrusted 15 1
Gi3/41 Untrusted 15 1
Gi3/42 Untrusted 15 1
Gi3/43 Untrusted 15 1
Gi3/44 Untrusted 15 1
Gi3/45 Untrusted 15 1
Gi3/46 Trusted None N/A
Gi3/47 Untrusted 15 1
Gi3/48 Untrusted 15 1
 
SwitchB# show ip arp inspection vlan 100
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
 
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
100 Enabled Active
 
Vlan ACL Logging DHCP Logging
---- ----------- ------------
100 Deny Deny#
 
SwitchB# show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:02:00:02:00:02 170.1.1.2 3492 dhcp-snooping 100 GigabitEthernet3/31
Total number of bindings: 1
 
SwitchB# show ip arp insp statistics vlan 100
 
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
100 2398 0 0 0
 
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
100 2398 0 0
 
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
100 0 0 0
SwitchB#

Configuring ARP ACLs for Non-DHCP Environments

This procedure shows how to configure DAI when Switch B shown in ARP Packet Validation on a VLAN Enabled for DAI does not support DAI or DHCP snooping.

If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 100. If the IP address of Host 2 is not static, such that it is impossible to apply the ACL configuration on Switch A, you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them.

To configure an ARP ACL (on switch A in a non-DHCP environment), perform this task:

 

Command
Purpose

Step 1

Switch# configure terminal

Enters global configuration mode.

Step 2

Switch(config)# arp access-list acl-name

Defines an ARP ACL, and enter ARP access-list configuration mode. By default, no ARP access lists are defined.

Note At the end of the ARP access list, there is an implicit deny ip any mac any command.

Step 3

Switch(config-arp-nac)# permit ip host sender-ip mac host sender-mac [ log ]

Permits ARP packets from the specified host (Host 2).

  • For sender-ip , enter the IP address of Host 2.
  • For sender-mac , enter the MAC address of Host 2.
  • (Optional) Specify log to log a packet in the log buffer when it matches the access control entry (ACE). Matches are logged if you also configure the matchlog keyword in the ip arp inspection vlan logging global configuration command. For more information, see the “Configuring the Log Buffer” section.

Step 4

Switch(config-arp-nac)# exit

Returns to global configuration mode.

Step 5

Switch(config)# ip arp inspection filter arp-acl-name vlan vlan-range [ static ]

Applies the ARP ACL to the VLAN. By default, no defined ARP ACLs are applied to any VLAN.

  • For arp-acl-name , specify the name of the ACL created in Step 2.
  • For vlan-range , specify the VLAN that the switches and hosts are in. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
  • (Optional) Specify static to treat implicit denies in the ARP ACL as explicit denies and to drop packets that do not match any previous clauses in the ACL. DHCP bindings are not used.

If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.

ARP packets containing only IP-to-MAC address bindings are compared against the ACL. Packets are permitted only if the access list permits them.

Step 6

Switch(config)# interface interface-id

Specifies the Switch A interface that is connected to Switch B, and enter interface configuration mode.

Step 7

Switch(config-if)# no ip arp inspection trust

Configures the Switch A interface that is connected to Switch B as untrusted.

By default, all interfaces are untrusted.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command . For more information, see the “Configuring the Log Buffer” section.

Step 8

Switch(config-if)# end

Returns to privileged EXEC mode.

Step 9

Switch# show arp access-list [ acl-name ]
Switch# show ip arp inspection vlan vlan-range
Switch# show ip arp inspection interfaces

Verifies the DAI configuration.

Step 10

Switch# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command.

This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from HostB (IP address 170.1.1.2 and MAC address 2.2.2), to apply the ACL to VLAN 100, and to configure port 1 on Switch A as untrusted:

SwitchA# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchA(config)# arp access-list hostB
SwitchA(config-arp-nacl)# permit ip host 170.1.1.2 mac host 2.2.2 log
SwitchA(config-arp-nacl)# exit
SwitchA(config)# ip arp inspection filter hostB vlan 100 static
SwitchA(config)# interface g3/48
SwitchA(config-if)# no ip arp inspection trust
SwitchA(config-if)# end
SwitchA# show arp access-list hostB
ARP access list hostB
permit ip host 170.1.1.2 mac host 0002.0002.0002 log
 
SwitchA# show ip arp inspection interfaces
 
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi1/1 Untrusted 15 1
Gi1/2 Untrusted 15 1
Gi3/1 Untrusted 15 1
Gi3/2 Untrusted 15 1
Gi3/3 Untrusted 15 1
Gi3/4 Untrusted 15 1
Gi3/5 Untrusted 15 1
Gi3/6 Untrusted 15 1
Gi3/7 Untrusted 15 1
Gi3/8 Untrusted 15 1
Gi3/9 Untrusted 15 1
Gi3/10 Untrusted 15 1
Gi3/11 Untrusted 15 1
Gi3/12 Untrusted 15 1
Gi3/13 Untrusted 15 1
Gi3/14 Untrusted 15 1
Gi3/15 Untrusted 15 1
Gi3/16 Untrusted 15 1
Gi3/17 Untrusted 15 1
Gi3/18 Untrusted 15 1
Gi3/19 Untrusted 15 1
Gi3/20 Untrusted 15 1
Gi3/21 Untrusted 15 1
Gi3/22 Untrusted 15 1
Gi3/23 Untrusted 15 1
Gi3/24 Untrusted 15 1
Gi3/25 Untrusted 15 1
Gi3/26 Untrusted 15 1
Gi3/27 Untrusted 15 1
Gi3/28 Untrusted 15 1
Gi3/29 Untrusted 15 1
Gi3/30 Untrusted 15 1
Gi3/31 Untrusted 15 1
Gi3/32 Untrusted 15 1
Gi3/33 Untrusted 15 1
Gi3/34 Untrusted 15 1
Gi3/35 Untrusted 15 1
Gi3/36 Untrusted 15 1
Gi3/37 Untrusted 15 1
Gi3/38 Untrusted 15 1
Gi3/39 Untrusted 15 1
Gi3/40 Untrusted 15 1
Gi3/41 Untrusted 15 1
Gi3/42 Untrusted 15 1
Gi3/43 Untrusted 15 1
Gi3/44 Untrusted 15 1
Gi3/45 Untrusted 15 1
Gi3/46 Untrusted 15 1
Gi3/47 Untrusted 15 1
Gi3/48 Untrusted 15 1
 
SwitchA# show ip arp inspection statistics vlan 100
 
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
100 15 169 160 9
 
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
100 0 0 0
 
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
100 0 0 0
SwitchA#

Configuring the Log Buffer

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry.

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. No other statistics are provided for the entry.

To configure the log buffer, perform this task:

 

Command
Purpose

Step 1

Switch# configure terminal

Enters global configuration mode.

Step 2

Switch(config)# ip arp inspection log-buffer { entries number | logs number interval seconds }

Configures the DAI logging buffer.

By default, when DAI is enabled, denied or dropped ARP packets are logged. The number of log entries is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second .

The keywords have these meanings:

  • For entries number , specify the number of entries to be logged in the buffer. The range is 0 to 1024.
  • For logs number interval seconds , specify the number of entries to generate system messages in the specified interval.

For logs number , the range is 0 to 1024. A 0 value means that the entry is placed in the log buffer, but a system message is not generated.

For interval seconds , the range is 0 to 86400 seconds (1 day). A 0 value means that a system message is immediately generated (and the log buffer is always empty).

An interval setting of 0 overrides a log setting of 0.

The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds.

Step 3

Switch(config)# [no] ip arp inspection vlan vlan-range logging { acl-match { matchlog | none } | dhcp-bindings { all | none | permit }}

Controls the type of packets that are logged per-VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.

The keywords have these meanings:

  • For vlan-range , specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4094.
  • For acl-match matchlog, log packets based on the ACE logging configuration. If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access-list configuration command, ARP packets permitted or denied by ACEs with log keyword are logged.
  • For acl-match none , do not log packets that match ACLs.
  • For dhcp-bindings all, log all packets that match DHCP bindings.
  • For dhcp-bindings none, do not log packets that match DHCP bindings.
  • For dhcp-bindings permit, log DHCP-binding permitted packets.

Step 4

Switch(config)# exit

Returns to privileged EXEC mode.

Step 5

Switch# show ip arp inspection log

Verifies your settings.

Step 6

Switch# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To return to the default log buffer settings, use the no ip arp inspection log-buffer global configuration command. To return to the default VLAN log settings, use the
no ip arp inspection vlan vlan-range logging { acl-match | dhcp-bindings } global configuration command. To clear the log buffer, use the clear ip arp inspection log privileged EXEC command.

This example shows how to configure the number of entries for the log buffer to 1024. It also shows how to configure your Catalyst 4500 series switch so that the logs must be generated from the buffer at the rate of 100 per 10 seconds.

SwitchB# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB(config)# ip arp inspection log-buffer entries 1024
SwitchB(config)# ip arp inspection log-buffer logs 100 interval 10
SwitchB(config)# end
SwitchB# show ip arp inspection log
Total Log Buffer Size : 1024
Syslog rate : 100 entries per 10 seconds.
 
 
Interface Vlan Sender MAC Sender IP Num Pkts Reason Time
---------- ---- -------------- --------------- --------- ----------- ----
Gi3/31 100 0002.0002.0003 170.1.1.2 5 DHCP Deny 02:05:45 UTC Fri Feb 4 2005
SwitchB#

Limiting the Rate of Incoming ARP Packets

The switch CPU performs DAI validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.


Note Unless you explicitly configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the
no ip arp-inspection limit interface configuration command, the interface reverts to its default rate limit.


By default, the switch places the port in the error-disabled state when the rate of incoming ARP packets exceeds the configured limit. To prevent the port from shutting down, you can use the errdisable detect cause arp-inspection action shutdown vlan global configuration command to shut down just the offending VLAN on the port where the violation occurred.

When a port is in the error-disabled state, you can bring it out of this state automatically by configuring the errdisable recovery cause arp-inspection global configuration command or you can manually reenable it by entering the shutdown and no shut down interface configuration commands. If a port is in per-VLAN error-disable mode, you can also use clear errdisable interface name vlan range command to reenable the VLAN on the port.

To limit the rate of incoming ARP packets, perform this task:

 

Command
Purpose

Step 1

Switch# configure terminal

Enters global configuration mode.

Step 2

Switch(config)# errdisable detect cause arp-inspection [ action shutdown vlan ]

Enables per-VLAN error-disable detection.

Note By default this command is enabled, and when a violation occurs the interface is shutdown.

Step 3

Switch(config)# interface interface-id

Specifies the interface to be rate-limited, and enters interface configuration mode.

Step 4

Switch(config-if)# [no] ip arp inspection limit { rate pps [ burst interval second ] | none }

Limits the rate of incoming ARP requests and responses on the interface.

The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces. The burst interval is 1 second.

The keywords have these meanings:

  • For rate pps , specify an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 pps.
  • (Optional) For burst interval seconds , specify the consecutive interval in seconds, over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15.
  • For rate none , specify no upper limit for the rate of incoming ARP packets that can be processed.

Step 5

Switch(config-if)# exit

Returns to global configuration mode.

Step 6

Switch(config)# errdisable recovery { cause arp-inspection |
interval
interval }

(Optional) Enables error recovery from the DAI error-disable state.

By default, recovery is disabled, and the recovery interval is 300 seconds.

For interval interval , specify the time in seconds to recover from the error-disable state. The range is 30 to 86400.

Step 7

Switch(config)# exit

Returns to privileged EXEC mode.

Step 8

Switch# show ip arp inspection interfaces

Verifies your settings.

Step 9

Switch# show errdisable recovery

Verifies your settings.

Step 10

Switch# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To return to the default rate-limit configuration, use the no ip arp inspection limit interface configuration command. To disable error recovery for DAI, use the no errdisable recovery cause arp-inspection global configuration command.

This example shows how to set an upper limit for the number of incoming packets (100 pps) and to specify a burst interval (1 second):

SwitchB# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB(config)# interface g3/31
SwitchB(config-if)# ip arp inspection limit rate 100 burst interval 1
SwitchB(config-if)# exit
SwitchB(config)# errdisable recovery cause arp-inspection
SwitchB(config)# exit
SwitchB# show ip arp inspection interfaces
 
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi1/1 Untrusted 15 1
Gi1/2 Untrusted 15 1
Gi3/1 Untrusted 15 1
Gi3/2 Untrusted 15 1
Gi3/3 Untrusted 15 1
Gi3/4 Untrusted 15 1
Gi3/5 Untrusted 15 1
Gi3/6 Untrusted 15 1
Gi3/7 Untrusted 15 1
Gi3/8 Untrusted 15 1
Gi3/9 Untrusted 15 1
Gi3/10 Untrusted 15 1
Gi3/11 Untrusted 15 1
Gi3/12 Untrusted 15 1
Gi3/13 Untrusted 15 1
Gi3/14 Untrusted 15 1
Gi3/15 Untrusted 15 1
Gi3/16 Untrusted 15 1
Gi3/17 Untrusted 15 1
Gi3/18 Untrusted 15 1
Gi3/19 Untrusted 15 1
Gi3/20 Untrusted 15 1
Gi3/21 Untrusted 15 1
Gi3/22 Untrusted 15 1
Gi3/23 Untrusted 15 1
Gi3/24 Untrusted 15 1
Gi3/25 Untrusted 15 1
Gi3/26 Untrusted 15 1
Gi3/27 Untrusted 15 1
Gi3/28 Untrusted 15 1
Gi3/29 Untrusted 15 1
Gi3/30 Untrusted 15 1
Gi3/31 Untrusted 100 1
Gi3/32 Untrusted 15 1
Gi3/33 Untrusted 15 1
Gi3/34 Untrusted 15 1
Gi3/35 Untrusted 15 1
Gi3/36 Untrusted 15 1
Gi3/37 Untrusted 15 1
Gi3/38 Untrusted 15 1
Gi3/39 Untrusted 15 1
Gi3/40 Untrusted 15 1
Gi3/41 Untrusted 15 1
Gi3/42 Untrusted 15 1
Gi3/43 Untrusted 15 1
Gi3/44 Untrusted 15 1
Gi3/45 Untrusted 15 1
Gi3/46 Trusted None N/A
Gi3/47 Untrusted 15 1
Gi3/48 Untrusted 15 1
 
SwitchB# show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
security-violatio Disabled
channel-misconfig Disabled
vmps Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
psecure-violation Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
unicast-flood Disabled
storm-control Disabled
arp-inspection Enabled
 
Timer interval: 300 seconds
 
Interfaces that will be enabled at the next timeout:
 
SwitchB#
1w2d: %SW_DAI-4-PACKET_RATE_EXCEEDED: 101 packets received in 739 milliseconds on Gi3/31.
1w2d: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi3/31, putting Gi3/31 in err-disable state
SwitchB# show clock
*02:21:43.556 UTC Fri Feb 4 2005
SwitchB#
SwitchB# show interface g3/31 status
 
Port Name Status Vlan Duplex Speed Type
Gi3/31 err-disabled 100 auto auto 10/100/1000-TX
SwitchB#
SwitchB#
1w2d: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Gi3/31
SwitchB# show interface g3/31 status
 
Port Name Status Vlan Duplex Speed Type
Gi3/31 connected 100 a-full a-100 10/100/1000-TX
SwitchB# show clock
*02:27:40.336 UTC Fri Feb 4 2005
SwitchB#

Performing Validation Checks

DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address.

To perform specific checks on incoming ARP packets, perform this task:

 

Command
Purpose

Step 1

Switch# configure terminal

Enters global configuration mode.

Step 2

Switch(config)# ip arp inspection validate {[ src-mac ] [ dst-mac ] [ ip ]}

Performs a specific check on incoming ARP packets. By default, no additional checks are performed.

The keywords have these meanings:

  • For src-mac , check the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
  • For dst-mac , check the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
  • For ip , check the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.

You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.

Step 3

Switch(config)# exit

Returns to privileged EXEC mode.

Step 4

Switch# show ip arp inspection vlan vlan-range

Verifies your settings.

Step 5

Switch# copy running-config startup-config

(Optional) Saves your entries in the configuration file.

To disable checking, use the no ip arp inspection validate [ src-mac ] [ dst-mac ] [ ip ] global configuration command. To display statistics for forwarded, dropped, MAC validation failure, and IP validation failure packets , use the show ip arp inspection statistics privileged EXEC command.

This example shows how to configure source mac validation. Packets are dropped and an error message may be generated when the source address in the Ethernet header does not match the sender hardware address in the ARP body.

SwitchB# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB(config)# ip arp inspection validate src-mac
SwitchB(config)# exit
SwitchB# show ip arp inspection vlan 100
 
Source Mac Validation : Enabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
 
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
100 Enabled Active
 
Vlan ACL Logging DHCP Logging
---- ----------- ------------
100 Deny Deny
SwitchB#
1w2d: %SW_DAI-4-INVALID_ARP: 9 Invalid ARPs (Req) on Gi3/31, vlan 100.([0002.0002.0002/170.1.1.2/0001.0001.0001/170.1.1.1/02:30:24 UTC Fri Feb 4 2005])