- Audience
- Getting Started with Cisco ME 2600X
- Ethernet Virtual Circuit
- Quality of Service
- Resilient Ethernet Protocol
- Link Aggregation Group and Link Aggregation Control Protocol
- MAC Learning
- Multicast VLAN Registration
- IGMP Snooping
- Remote Network Monitoring and Alarm Troubleshooting
- Authentication, Authorization, and Accounting (AAA)
- Cisco Discovery Protocol
- SNMP
- IP Source Guard for Service Instance
- DHCP Snooping
- Dynamic ARP Inspection
- MAC Address Security
- Layer 2 Access Control Lists on EVCs
- Layer 3 Access Control Lists on EVCs
- Storm Control over EVC
- Control Plane Policing
- ICMP Unreachable Rate Limiting User Feedback
- IP Version 6 Support for the Management Port
- SSH
- PPPoE Intermediate Agent
- CFM over EVC
- Index
Cisco ME 2600X Series Ethernet Access Switch Software Configuration Guide
- Updated:
- September 3, 2014
Chapter: Dynamic ARP Inspection
Dynamic ARP Inspection
This chapter describes how to configure dynamic Address Resolution Protocol (ARP) inspection (DAI) in Cisco IOS Release 12.2SX
- Understanding DAI
- Default DAI Configuration
- Restrictions for DAI
- Configuring DAI
- Example: DAI Configuration
Understanding DAI
- Understanding ARP
- Understanding ARP Spoofing Attacks
- Understanding DAI and ARP Spoofing Attacks
- Interface Trust States and Network Security
- Rate Limiting of ARP Packets
- Relative Priority of ARP ACLs and DHCP Snooping Entries
- Logging of Dropped Packets
Understanding ARP
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain receive the ARP request, and Host A responds with its MAC address.
Understanding ARP Spoofing Attacks
ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.
An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. The figure below shows an example of ARP cache poisoning.
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.
Host C can poison the ARP caches of the switch for Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, which is the topology of the classic man-in-the middle attack.
Understanding DAI and ARP Spoofing Attacks
DAI is a security feature that validates ARP packets in a network . DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks.
DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities:
- Intercepts all ARP requests and responses on untrusted ports
- Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination
- Drops invalid ARP packets
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database, the DHCP snooping binding database . This database is built by DHCP snooping if DHCP snooping is enabled on the bridge domains and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.
The switch logs dropped packets (see Logging of Dropped Packets).
You can configure DAI to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header (see Enabling Additional Validation).
Interface Trust States and Network Security
DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation process.
In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given switch bypass the security check. No other validation is needed at any other place in the bridge domain or in the network. You configure the trust setting by using the ip arp inspection trust interface configuration command.
 Note | Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity. |
In the figure below, assume that both Switch A and Switch B are running DAI on the bridge domain that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface between Switch A and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B. Connectivity between Host 1 and Host 2 is lost.
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the network. If Switch A is not running DAI, Host 1 can easily poison the ARP cache of Switch B (and Host 2, if the link between the switches is configured as trusted). This condition can occur even though Switch B is running DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the ARP caches of other hosts in the network. However, DAI does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a switch running DAI.
In cases in which some switches in a bridge domain run DAI and other switches do not, configure the interfaces connecting such switches as untrusted. However, to validate the bindings of packets from switches where DAI is not configured, configure ARP ACLs on the switch running DAI. When you cannot determine such bindings, isolate switches running DAI at Layer 3 from switches not running DAI.
Note | Depending on the setup of the DHCP server and the network, it might not be possible to validate a given ARP packet on all switches in the bridge domain. |
Rate Limiting of ARP Packets
The switch performs DAI validation checks, which rate limits incoming ARP packets to prevent a denial-of-service attack. By default, the rate for untrusted interfaces is 15 packets per second (pps). Trusted interfaces are not rate limited. You can change this setting by using the ip arp inspection limit interface configuration command.
When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state . The port remains in that state until you intervene. You can use the errdisable recovery global configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period.
For configuration information, see Configuring ARP Packet Rate Limiting.
Relative Priority of ARP ACLs and DHCP Snooping Entries
DAI uses the DHCP snooping binding database for the list of valid IP-to-MAC address bindings.
ARP ACLs take precedence over entries in the DHCP snooping binding database. The switch uses ACLs only if you configure them by using the ip arp inspection filter global configuration command. The switch first compares ARP packets to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also denies the packet even if a valid binding exists in the database populated by DHCP snooping.
Logging of Dropped Packets
When the switch drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, the switch clears the entry from the log buffer. Each log entry contains flow information, such as the receiving bridge domain, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
You use the ip arp inspection log-buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified interval to generate system messages. You specify the type of packets that are logged by using the ip arp inspection bridge domain logging global configuration command. For configuration information, see Configuring DAI Logging.
Default DAI Configuration
Default DAI Configuration
The table below shows the default DAI configuration.
| Feature | Default Setting |
|---|---|
DAI |
Disabled on all bridge domains. |
Interface trust state |
All interfaces are untrusted. |
Rate limit of incoming ARP packets |
The rate is 15 pps on untrusted interfaces, assuming that the network is a Layer 2-switched network with a host connecting to as many as 15 new hosts per second. The rate is unlimited on all trusted interfaces. The burst interval is 1 second. |
ARP ACLs for non-DHCP environments |
No ARP ACLs are defined. |
Validation checks |
No checks are performed. |
Log buffer |
When DAI is enabled, all denied or dropped ARP packets are logged. The number of entries in the log is 32. The number of system messages is limited to 5 per second. The logging-rate interval is 1 second. |
Per-bridge domain logging |
All denied or dropped ARP packets are logged. |
Restrictions for DAI
- DAI is an ingress security feature; it does not perform any egress checking.
- DAI is not effective for hosts connected to switches that do not support DAI or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, separate the domain with DAI checks from the one with no checking. This action secures the ARP caches of hosts in the domain enabled for DAI.
- DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses. For configuration information, see Configuring DHCP Snooping.
- When DHCP snooping is disabled or in non-DHCP environments, use ARP ACLs to permit or to deny packets.
- DAI is supported on access ports, trunk ports, EtherChannel ports, and private bridge domain ports.
- A physical port can join an EtherChannel port channel only when the trust state of the physical port and the channel port match.
Conversely, when you change the trust state on the port channel, the switch configures a new trust state on all the physical ports that comprise the channel.
- The operating rate for the port channel is cumulative across all the physical ports within the channel. For example, if you configure the port channel with an ARP rate limit of 400 pps, all the interfaces combined on the channel receive an aggregate 400 pps. The rate of incoming ARP packets on EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel-port members.
The rate of incoming packets on a physical port is checked against the port-channel configuration rather than the physical-ports configuration. The rate-limit configuration on a port channel is independent of the configuration on its physical ports.
If the EtherChannel receives more ARP packets than the configured rate, the channel (including all physical ports) is placed in the error-disabled state.
- Make sure to limit the rate of ARP packets on incoming trunk ports. Configure trunk ports with higher rates to reflect their aggregation and to handle packets across multiple DAI-enabled bridge domains. You also can use the ip arp inspection limit none interface configuration command to make the rate unlimited. A high rate-limit on one bridge domain can cause a denial-of-service attack to other bridge domains when the software places the port in the error-disabled state.
Configuring DAI
- Enabling DAI on Bridge Domains
- Configuring the DAI Interface Trust State
- Configuring ARP Packet Rate Limiting
- Enabling Additional Validation
- Configuring DAI Logging
Enabling DAI on Bridge Domains
To enable DAI on bridge domains, complete the following steps:
1.
enable
2.
configure terminal
3.
ip arp inspection bridge domain{bridge-domain_ID | bridge-domain_range}
4. do show ip arp inspection bridge-domain {bridge-domain_ID
5.
end
DETAILED STEPS
Examples
This example shows how to enable DAI on bridge domains 10 through 12
Switch# configure terminal Switch(config)# ip arp inspection bridge-domain 10-12
This example shows another way to enable DAI on bridge domains 10 through 12
Switch# configure terminal Switch(config)# ip arp inspection bridge-domain 10,11,12
This example shows how to enable DAI on bridge domains 10 through 12 and bridge domain 15
Switch# configure terminal Switch(config)# ip arp inspection bridge-domain 10-12,15
This example shows how to verify the configuration
Switch(config)# $arp inspection bridge-domain 1 | begin BD
BD Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
1 Enabled Active
BD ACL Logging DHCP Logging
---- ----------- ------------
1 Deny Deny
Configuring the DAI Interface Trust State
The switch forwards ARP packets that it receives on a trusted interface, but does not check them.
On untrusted interfaces, the switch intercepts all ARP requests and responses. It verifies that the intercepted packets have valid IP-to-MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination. The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp inspection bridge domain logging global configuration command. For more information, see Configuring DAI Logging.
To configure the DAI interface trust state, complete the following steps:
1.
enable
2.
configure terminal
3. interface {type1 slot/port | port-channel number}
4.
ip arp inspection trust
5.
do show ip arp inspection interfaces
6.
end
DETAILED STEPS
Example
This example shows how to configure Gigabit Ethernet port 0/12 as trusted:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitEthernet 0/12 Switch(config-if)# ip arp inspection trust Switch(config-if)# do show ip arp inspection interfaces | include Int|--|0/12
Interface Trust State Rate (pps) Burst Interval --------------- ----------- ---------- -------------- Gi0/12 Trusted None N/A
Configuring ARP Packet Rate Limiting
When DAI is enabled, the switch performs ARP packet validation checks, which makes the switch vulnerable to an ARP-packet denial-of-service attack. ARP packet rate limiting can prevent an ARP-packet denial-of-service attack.
To configure ARP packet rate limiting on a port, perform this task:
When configuring ARP packet rate limiting, note the following information:
- The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces
- For rate pps, specify an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 pps.
- The rate none keywords specify that there is no upper limit for the rate of incoming ARP packets that can be processed.
- (Optional) For burst interval seconds (default is 1), specify the consecutive interval, in seconds, over which the interface is monitored for a high rate of ARP packets.The range is 1 to 15.
- When the rate of incoming ARP packets exceeds the configured limit, the switch places the port in the error-disabled state. The port remains in the error-disabled state until you enable error-disabled recovery, which allows the port to emerge from the error-disabled state after a specified timeout period.
- Unless you configure a rate-limiting value on an interface, changing the trust state of the interface also changes its rate-limiting value to the default value for the configured trust state. After you configure the rate-limiting value, the interface retains the rate-limiting value even when you change its trust state. If you use the no ip arp inspection limit interface configuration command, the interface reverts to its default rate-limiting value.
- For configuration guidelines about limiting the rate of incoming ARP packets on trunk ports and EtherChannel ports, see Restrictions for DAI.
1.
enable
2.
configure terminal
3. interface {type slot/port | port-channel number}
4. ip arp inspection limit {rate pps [burst interval seconds] | none}
5.
do show ip arp inspection interfaces
6.
end
DETAILED STEPS
Example
This example shows how to configure ARP packet rate limiting on Gigabit Ethernet port 0/14:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface gigabitethernet 0/14 Switch(config-if)# ip arp inspection limit rate 20 burst interval 2 Switch(config-if)# do show ip arp inspection interfaces | include Int|--|0/14
Interface Trust State Rate (pps) Burst Interval --------------- ----------- ---------- -------------- Gi0/14 Untrusted 20 2
Enabling Additional Validation
DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can enable additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC address.
The additional validations do the following:
- dst-mac—Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
- ip—Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.
- src-mac—Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.
When enabling additional validation, note the following information:
- You must specify at least one of the keywords.
- Each ip arp inspection validate command overrides the configuration from any previous commands. If an ip arp inspection validate command enables src-mac and dst-mac validations, and a second ip arp inspection validate command enables IP validation only, the src-mac and dst-mac validations are disabled as a result of the second command.
To enable additional validation, complete the following steps:
1.
enable
2.
configure terminal
3.
ip arp inspection validate {[dst-mac] [ip] [src-mac]}
4.
do show ip arp inspection | include abled$
5.
exit
DETAILED STEPS
Examples
This example shows how to enable src-mac additional validation:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip arp inspection validate src-mac Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Enabled Destination Mac Validation : Disabled IP Address Validation : Disabled
This example shows how to enable dst-mac additional validation:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip arp inspection validate dst-mac Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Disabled Destination Mac Validation : Enabled IP Address Validation : Disabled
This example shows how to enable ip additional validation:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip arp inspection validate ip Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Enabled
This example shows how to enable src-mac and dst-mac additional validation:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip arp inspection validate src-mac dst-mac Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Enabled Destination Mac Validation : Enabled IP Address Validation : Disabled
This example shows how to enable src-mac, dst-mac, and ip additional validation:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip arp inspection validate src-mac dst-mac ip Switch(config)# do show ip arp inspection | include abled$
Source Mac Validation : Enabled Destination Mac Validation : Enabled IP Address Validation : Enabled
Configuring DAI Logging
- DAI Logging Overview
- Configuring the DAI Logging For All Packets
- Configuring the DAI Logging Buffer Size
- Configuring the DAI Logging System Messages
DAI Logging Overview
When DAI drops a packet, it places an entry in the log buffer and then generates system messages on a rate-controlled basis. After the message is generated, DAI clears the entry from the log buffer. Each log entry contains flow information, such as the receiving bridge domain, the port number, the source and destination IP addresses, and the source and destination MAC addresses.
A log-buffer entry can represent more than one packet. For example, if an interface receives many packets on the same bridge domain with the same ARP parameters, DAI combines the packets as one entry in the log buffer and generates a single system message for the entry.
If the log buffer overflows, it means that a log event does not fit into the log buffer, and the display for the show ip arp inspection log privileged EXEC command is affected. Two dashes (“--”) appear instead of data except for the packet count and the time. No other statistics are provided for the entry. If you see this entry in the display, increase the number of entries in the log buffer or increase the logging rate.
Configuring the DAI Logging For All Packets
To configure the DAI logging for all packets, complete the following steps:
1.
enable
2.
configure terminal
3. ip arp inspection bridge-domain range logging {acl-match | dhcp-bindings} {all | none | permit}
4.
exit
DETAILED STEPS
Example
This example shows how to configure the DAI logging for all packets:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ip arp inspection bridge-domain 200 logging dhcp-bindings all
Configuring the DAI Logging Buffer Size
To configure the DAI logging buffer size, complete the following steps:
1.
enable
2.
configure terminal
3.
ip arp inspection log-buffer entries number
4.
do show ip arp inspection log | include Size
5.
exit
DETAILED STEPS
Example
This example shows how to configure the DAI logging buffer for 64 messages:
Switch# configure terminal Switch(config)# ip arp inspection log-buffer entries 64 Switch(config)# do show ip arp inspection log | include Size
Total Log Buffer Size : 64
Configuring the DAI Logging System Messages
When configuring the DAI logging system messages, note the following information:
- For logs number_of_messages (default is 5), the range is 0 to 1024. A 0 value means that the entry is placed in the log buffer, but a system message is not generated.
- For interval length_in_seconds (default is 1), the range is 0 to 86400 seconds (1 day). A 0 value means that a system message is immediately generated (and the log buffer is always empty). An interval setting of 0 overrides a log setting of 0.
- System messages are sent at the rate of number_of_messages per length_in_seconds.
To configure the DAI logging system messages, complete the following steps:
1.
enable
2.
configure terminal
3.
ip arp inspection log-buffer logs number_of_messages interval length_in_seconds
4.
do show ip arp inspection log
5.
exit
DETAILED STEPS
Example
This example shows how to configure DAI logging to send 12 messages every 2 seconds:
Switch# configure terminal Switch(config)# ip arp inspection log-buffer logs 12 interval 2 Switch(config)# do show ip arp inspection log | include Syslog
Syslog rate : 12 entries per 2 seconds.
This example shows how to configure DAI logging to send 20 messages every 60 seconds
Switch# configure terminal Switch(config)# ip arp inspection log-buffer logs 20 interval 60 Switch(config)# do show ip arp inspection log | include Syslog
Syslog rate : 20 entries per 60 seconds.
Example: DAI Configuration
This procedure shows how to configure DAI when two switches support this feature. Host 1 is connected to Switch A, and Host 2 is connected to Switch B as shown in Figure 1-2 on page 1-3. Both switches are running DAI on bridge domain 1 where the hosts are located. A DHCP server is connected to Switch A. Both hosts acquire their IP addresses from the same DHCP server. Switch A has the bindings for Host 1 and Host 2, and Switch B has the binding for Host 2. Switch A Gigabit Ethernet port 0/3 is connected to the Switch B Gigabit Ethernet port 0/3.
Note |
|
Configuring Switch A
To enable DAI and configure Gigabit Ethernet port 0/3 on Switch A as trusted, complete the following steps:
1.
enable
2.
show cdp neighbors
3.
configure terminal
4.
configure terminal
5.
exit
6.
show ip dhcp snooping binding
7.
show ip arp inspection statistics bridge-domain 1
DETAILED STEPS
Configuring Switch B
To enable DAI and configure Fast Ethernet port 3/3 on Switch B as trusted, complete the following steps:
1.
enable
2.
show cdp neighbors
3.
configure terminal
4.
configure terminal
5.
exit
6.
show ip dhcp snooping binding
7.
show ip arp inspection statistics bridge-domain 1
DETAILED STEPS
Feedback