Configuring Dynamic ARP Inspection

Prerequisites for Dynamic ARP Inspection

blank.gifDynamic Address Resolution Protocol (ARP) inspection depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses.

Restrictions for Dynamic ARP Inspection

blank.gifTo use this feature, the switch must be running the LAN Base image.

Information About Dynamic ARP Inspection

Dynamic ARP Inspection

Dynamic ARP inspection (DAI) helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN.

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain receive the ARP request, and Host A responds with its MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.

A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure 63 shows an example of ARP cache poisoning.

Figure 63 ARP Cache Poisoning

 

111750.ps

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.

Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the middle attack.

DAI is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.

DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities:

blank.gifIntercepts all ARP requests and responses on untrusted ports

blank.gifVerifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

blank.gifDrops invalid ARP packets

DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

Interface Trust States and Network Security

DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation process.

In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. No other validation is needed at any other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection trust interface configuration command.

Caution: Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity.

In Figure 64, assume that both Switch A and Switch B are running DAI on the VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B. Connectivity between Host 1 and Host 2 is lost.

Figure 64 ARP Packet Validation on a VLAN Enabled for DAI

 

111751.ps

Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If Switch A is not running DAI, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running DAI.

DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running DAI.

If some switches in a VLAN run DAI and other switches do not, configure the interfaces connecting these switches as untrusted. However, to validate the bindings of packets from non-DAI switches, configure the switch running DAI with ARP ACLs. When you cannot determine the bindings, at Layer 3 isolate switches running DAI from switches not running DAI switches.

Note: Depending on the setup of the DHCP server and the network, it might not be possible to validate a given ARP packet on all switches in the VLAN.

Rate Limiting of ARP Packets

The switch CPU performs DAI validation checks; therefore, the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate-limited. You can change this setting by using the ip arp inspection limit interface configuration command.

When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in that state until you intervene. You can use the errdisable recovery global configuration command to enable error-disable recovery so that ports automatically emerge from this state after a specified timeout period.

Note: Unless you configure a rate limit on an interface, changing the trust state of the interface also changes its rate limit to the default value for that trust state. After you configure the rate limit, the interface retains the rate limit even when its trust state is changed. If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit.

Relative Priority of ARP ACLs and DHCP Snooping Entries

DAI uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings.

ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only if you configure them by using the ip arp inspection filter vlan global configuration command. The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.

Logging of Dropped Packets

When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages. You specify the type of packets that are logged by using the ip arp inspection vlan logging global configuration command.

A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same VLAN with the same ARP parameters, the switch combines the packets as one entry in the log buffer and generates a single system message for the entry.

If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. Dashes in the display appears in place of all data except the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.

Default Dynamic ARP Inspection Settings

 

Feature
Default Setting

DAI

Disabled on all VLANs.

Interface trust state

All interfaces are untrusted.

Rate limit of incoming ARP packets

The rate is 15 pps on untrusted interfaces, assuming that the network is a switched network with a host connecting to as many as 15 new hosts per second.

The rate is unlimited on all trusted interfaces.

The burst interval is 1 second.

ARP ACLs for non-DHCP environments

No ARP ACLs are defined.

Validation checks

No checks are performed.

Log buffer

When DAI is enabled, all denied or dropped ARP packets are logged.

The number of entries in the log is 32.

The number of system messages is limited to 5 per second.

The logging-rate interval is 1 second.

Per-VLAN logging

All denied or dropped ARP packets are logged.

Dynamic ARP Inspection Configuration Guidelines

blank.gifDAI is an ingress security feature; it does not perform any egress checking.

blank.gifDAI is not effective for hosts connected to switches that do not support DAI or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from the one with no checking. This action secures the ARP caches of hosts in the domain enabled for DAI.

blank.gifDAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For configuration information, see Configuring Dynamic ARP Inspection

When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny packets.

blank.gifDAI is supported on access ports, trunk ports, EtherChannel ports, and private VLAN ports.

Note: Do not enable DAI on RSPAN VLANs. If DAI is enabled on RSPAN VLANs, DAI packets might not reach the RSPAN destination port.

blank.gifA physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match. Otherwise, the physical port remains suspended in the port channel. A port channel inherits its trust state from the first physical port that joins the channel. Consequently, the trust state of the first physical port need not match the trust state of the channel.

Conversely, when you change the trust state on the port channel, the switch configures a new trust state on all the physical ports that comprise the channel.

blank.gifThe operating rate for the port channel is cumulative across all the physical ports within the channel. For example, if you configure the port channel with an ARP rate-limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel-port members.

The rate of incoming packets on a physical port is checked against the port-channel configuration rather than the physical-ports configuration. The rate-limit configuration on a port channel is independent of the configuration on its physical ports.

If the EtherChannel receives more ARP packets than the configured rate, the channel (including all physical ports) is placed in the error-disabled state.

blank.gifMake sure to limit the rate of ARP packets on incoming trunk ports. Configure trunk ports with higher rates to reflect their aggregation and to handle packets across multiple DAI-enabled VLANs. You also can use the ip arp inspection limit none interface configuration command to make the rate unlimited. A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs when the software places the port in the error-disabled state.

blank.gifWhen you enable DAI on the switch, policers that were configured to police ARP traffic are no longer effective. The result is that all ARP traffic is sent to the CPU.

How to Configure Dynamic ARP Inspection

Configuring Dynamic ARP Inspection in DHCP Environments

This procedure shows how to configure DAI when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 64. Both switches are running DAI on VLAN 1 where the hosts are located. A DHCP server is connected to Switch A. Both hosts acquire their IP addresses from the same DHCP server. Therefore, Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2.

Before You Begin

You must perform this procedure on both switches. This procedure is required.

 

 
Command
Purpose

1.blank.gif

show cdp neighbors

Verifies the connection between the switches.

2.blank.gif

configure terminal

Enters global configuration mode.

3.blank.gif

ip arp inspection vlan vlan-range

Enables DAI on a per-VLAN basis. By default, DAI is disabled on all VLANs.

vlan-range —Specifies a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4096.

Specifies the same VLAN ID for both switches.

4.blank.gif

interface interface-id

Specifies the interface connected to the other switch, and enters interface configuration mode.

5.blank.gif

ip arp inspection trust

Configures the connection between the switches as trusted.

By default, all interfaces are untrusted.

The switch does not check ARP packets that it receives from the other switch on the trusted interface; it only forwards the packets.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.

6.blank.gif

end

Returns to privileged EXEC mode.

Configuring ARP ACLs for Non-DHCP Environments

This procedure shows how to configure DAI when Switch B shown in Figure 64 does not support DAI or DHCP snooping.

If you configure port 1 on Switch A as trusted, a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2. To prevent this possibility, you must configure port 1 on Switch A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1. If the IP address of Host 2 is not static (it is impossible to apply the ACL configuration on Switch A) you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them.

 

 
Command
Purpose

1.blank.gif

configure terminal

Enters global configuration mode.

2.blank.gif

arp access-list acl-name

Defines an ARP ACL, and enters ARP access-list configuration mode. By default, no ARP access lists are defined.

Note: At the end of the ARP access list, there is an implicit deny ip any mac any command.

3.blank.gif

permit ip host sender-ip mac host sender-mac [ log ]

Permits ARP packets from the specified host (Host 2).

blank.gif sender-ip— Enters the IP address of Host 2.

blank.gif sender-mac —Enters the MAC address of Host 2.

blank.gif(Optional) log —Logs a packet in the log buffer when it matches the access control entry (ACE). Matches are logged if you also configure the matchlog keyword in the ip arp inspection vlan logging global configuration command. For more information, see Configuring the Log Buffer.

4.blank.gif

exit

Returns to global configuration mode.

5.blank.gif

ip arp inspection filter arp-acl-name vlan vlan-range [ static ]

Applies the ARP ACL to the VLAN. By default, no defined ARP ACLs are applied to any VLAN.

blank.gif arp-acl-name —Specifies the name of the ACL created in Step 2.

blank.gif vlan-range —Specifies the VLAN that the switches and hosts are in. You can specify a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4096.

blank.gif(Optional) static —Specifies to treat implicit denies in the ARP ACL as explicit denies and to drop packets that do not match any previous clauses in the ACL. DHCP bindings are not used.

If you do not specify this keyword, it means that there is no explicit deny in the ACL that denies the packet, and DHCP bindings determine whether a packet is permitted or denied if the packet does not match any clauses in the ACL.

ARP packets containing only IP-to-MAC address bindings are compared against the ACL. Packets are permitted only if the access list permits them.

6.blank.gif

interface interface-id

Specifies the Switch A interface that is connected to Switch B, and enters interface configuration mode.

7.blank.gif

no ip arp inspection trust

Configures the Switch A interface that is connected to Switch B as untrusted.

By default, all interfaces are untrusted.

For untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection vlan logging global configuration command.

8.blank.gif

end

Returns to privileged EXEC mode.

Limiting the Rate of Incoming ARP Packets

 

 
Command
Purpose

1.blank.gif

configure terminal

Enters global configuration mode.

2.blank.gif

interface interface-id

Specifies the interface to be rate-limited, and enters interface configuration mode.

3.blank.gif

ip arp inspection limit { rate pps [ burst interval seconds ] | none }

Limits the rate of incoming ARP requests and responses on the interface.

The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces. The burst interval is 1 second.

blank.gif rate pps —Specifies an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 pps.

blank.gif(Optional) burst interval seconds —Specifies the consecutive interval in seconds, over which the interface is monitored for a high rate of ARP packets. The range is 1 to 15.

blank.gif rate none —Specifies no upper limit for the rate of incoming ARP packets that can be processed.

4.blank.gif

exit

Returns to global configuration mode.

5.blank.gif

errdisable recovery cause arp-inspection interval interval

(Optional) Enables error recovery from the DAI error-disabled state.

By default, recovery is disabled, and the recovery interval is 300 seconds.

interval interval —Specifies the time in seconds to recover from the error-disabled state. The range is 30 to 86400.

6.blank.gif

exit

Returns to privileged EXEC mode.

Performing Validation Checks

 

 
Command
Purpose

1.blank.gif

configure terminal

Enters global configuration mode.

2.blank.gif

ip arp inspection validate {[ src-mac ] [ dst-mac ] [ ip ]}

Performs a specific check on incoming ARP packets. By default, no checks are performed.

blank.gif src-mac —Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

blank.gif dst-mac —Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

blank.gif ip —Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.

You must specify at least one of the keywords. Each command overrides the configuration of the previous command; that is, if a command enables src and dst mac validations, and a second command enables IP validation only, the src and dst mac validations are disabled as a result of the second command.

3.blank.gif

exit

Returns to privileged EXEC mode.

Configuring the Log Buffer

 

 
Command
Purpose

1.blank.gif

configure terminal

Enters global configuration mode.

2.blank.gif

ip arp inspection log-buffer { entries number | logs number interval seconds }

Configures the DAI logging buffer.

By default, when DAI is enabled, denied, or dropped, ARP packets are logged. The number of log entries is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second.

blank.gif entries number —Specifies the number of entries to be logged in the buffer. The range is 0 to 1024.

blank.gif logs number interval seconds —Specifies the number of entries to generate system messages in the specified interval.

logs number —Specifies the range 0 to 1024. A 0 value means that the entry is placed in the log buffer, but a system message is not generated.

interval seconds —Specifies the range 0 to 86400 seconds (1 day). A 0 value means that a system message is immediately generated (and the log buffer is always empty).

An interval setting of 0 overrides a log setting of 0.

The logs and interval settings interact. If the logs number X is greater than interval seconds Y, X divided by Y (X/Y) system messages are sent every second. Otherwise, one system message is sent every Y divided by X (Y/X) seconds.

3.blank.gif

ip arp inspection vlan vlan-range logging { acl-match { matchlog | none } | dhcp-bindings { all | none | permit }}

Controls the type of packets that are logged per VLAN. By default, all denied or all dropped packets are logged. The term logged means the entry is placed in the log buffer and a system message is generated.

blank.gif vlan-range —Specifies a single VLAN identified by VLAN ID number, a range of VLANs separated by a hyphen, or a series of VLANs separated by a comma. The range is 1 to 4096.

blank.gif acl-match matchlog—Specifies log packets based on the ACE logging configuration. If you specify the matchlog keyword in this command and the log keyword in the permit or deny ARP access-list configuration command, ARP packets permitted or denied by the ACL are logged.

blank.gif acl-match none —Does not log packets that match ACLs.

blank.gifdhcp-bindings all—Logs all packets that match DHCP bindings.

blank.gifdhcp-bindings none—Does not log packets that match DHCP bindings.

blank.gifdhcp-bindings permit—Logs DHCP-binding permitted packets.

4.blank.gif

exit

Returns to privileged EXEC mode.

Monitoring and Maintaining Dynamic ARP Inspection

 

Command
Description

clear ip arp inspection log

Clears the DAI log buffer.

clear ip arp inspection statistics

Clears the DAI statistics.

show arp access-list [ acl-name ]

Displays detailed information about ARP ACLs.

show errdisable recovery

Displays the error-disabled recovery timer information.

show ip arp inspection interfaces [ interface-id ]

Displays the trust state and the rate limit of ARP packets for the specified interface or all interfaces.

show ip arp inspection log

Displays the configuration and contents of the DAI log buffer.

show ip arp inspection vlan vlan-range

Displays the configuration and the operating state of DAI for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with DAI enabled (active).

show ip arp inspection statistics [ vlan vlan-range ]

Displays statistics for forwarded, dropped, MAC validation failure, IP validation failure, ACL permitted and denied, and DHCP permitted and denied packets for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with DAI enabled (active).

show ip dhcp snooping binding

Verifies the DHCP bindings.

Configuration Examples for Dynamic ARP Inspection

Configuring Dynamic ARP Inspection in DHCP Environments: Example

This example shows how to configure DAI on Switch A in VLAN 1. You would perform a similar procedure on Switch B:

Switch(config)# ip arp inspection vlan 1
Switch(config)# interface GigabitEthernet1/17
Switch(config-if)# ip arp inspection trust

Configuring ARP ACLs for Non-DHCP Environments: Example

This example shows how to configure an ARP ACL called host2 on Switch A, to permit ARP packets from Host 2 (IP address 1.1.1.1 and MAC address 0001.0001.0001), to apply the ACL to VLAN 1, and to configure port 1 on Switch A as untrusted:

Switch(config)# arp access-list host2
Switch(config-arp-acl)# permit ip host 1.1.1.1 mac host 1.1.1
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter host2 vlan 1
Switch(config)# interface GigabitEthernet1/17
Switch(config-if)# no ip arp inspection trust

 

Additional References

The following sections provide references related to switch administration:

Related Documents

Related Topic
Document Title

Cisco IOS basic commands

Cisco IOS Configuration Fundamentals Command Reference

DHCP configuration

“Configuring DHCP on the IE 5000 Switch”

Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport