PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:dynamic-arp-inspection:dynamic-arp-inspection

Cisco: Dynamic ARP inspection(DAI)

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.2 Network security
          • 5.2.a [v] Dynamic ARP inspection
    • Lab v5.0
      • 4.0 Infrastructure Security
        • 4.2 Network security
          • 4.2.a [v] Dynamic ARP inspection

Dynamic ARP inspection Lab(DHCP Environment)

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
interface FastEthernet 1/0/24
 ip dhcp snooping trust
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

  • SW1
monitor session 1 source interface FastEthernet 1/0/3
monitor session 1 destination interface FastEthernet 1/0/12

SW1 Console Log

  1. ARP Request is reachable if trust, or untrust port anyway.
  2. but ARP reply dropped by switch if dhcp snooping binding not found.

Dynamic ARP inspection Lab(None DHCP Environment)

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip arp inspection vlan 128
!
arp access-list ARP-VLAN128
 permit ip host 10.0.128.101 mac host 001b.2a77.66d2 log
 permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface FastEthernet 1/0/24
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

  • SW1
monitor session 1 source interface FastEthernet 1/0/3
monitor session 1 destination interface FastEthernet 1/0/12

SW1 Console Log

  1. ARP request also untrust port not binding found is blocked
R3#ping 10.0.128.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1(config)#
*Mar  1 00:08:24.834: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:24 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:08:26.848: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:26 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:08:28.861: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:28 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:08:30.874: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:30 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:08:32.887: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:32 UTC Mon Mar 1 1993])
SW1(config)#

DAI x IP source-guard Lab

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
monitor session 1 source interface FastEthernet 1/0/3
monitor session 1 destination interface FastEthernet 1/0/12
  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
ip source binding 0024.c431.126e vlan 128 10.0.128.102 interface FastEthernet 1/0/2
!
arp access-list ARP-VLAN128
 permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface range FastEthernet 1/0/1 - 3
 ip verify source
exit
interface FastEthernet 1/0/24
 ip dhcp snooping trust
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

SW1 Console Log

  • I think anti IP spoofing problem, DAI is satisfied requirements…
  • DAI prevents arp timing spoofing
  • IP source-guard prevents IP level traffic
  • Both configuration enhance Layer2, Layer3 security.(May be…)

Dynamic ARP inspection Lab(DHCP & Static Environment)

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
arp access-list ARP-VLAN128
 permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface FastEthernet 1/0/24
 ip dhcp snooping trust
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

SW1 Console Log

Dynamic ARP inspection Lab(Misc Topics)

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
arp access-list ARP-VLAN128
 permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface FastEthernet 1/0/24
 ip dhcp snooping trust
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.103 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

rate limitting

interface configuration mode.

configure terminal
!
interface FastEthernet 1/0/3
 ip arp inspection limit rate 1 burst interval 1
!
end
SW1(config)#ip arp
SW1(config)#ip arp inspe
SW1(config)#ip arp inspection li
SW1(config)#ip arp inspection limi
SW1(config)#ip arp inspection limi
SW1(config)#ip arp inspection limi
SW1(config)#ip arp inspection limi
SW1(config)#ip arp inspection li  
SW1(config)#ip arp inspection   
SW1(config)#ip arp inspection ?
  filter      Specify ARP acl to be applied
  log-buffer  Log Buffer Configuration
  smartlog    Smartlog all the logged pkts
  validate    Validate addresses
  vlan        Enable/Disable ARP Inspection on vlans

SW1(config)#ip arp inspection vlan 128 ?
  logging  Configure type of packets to be logged
  <cr>

SW1(config)#ip arp inspection          
SW1(config)#ip arp inspection 
SW1(config)#ip arp inspection ?
  filter      Specify ARP acl to be applied
  log-buffer  Log Buffer Configuration
  smartlog    Smartlog all the logged pkts
  validate    Validate addresses
  vlan        Enable/Disable ARP Inspection on vlans

SW1(config)#int f1/0/3        
SW1(config-if)#ip arp
SW1(config-if)#ip arp ins
SW1(config-if)#ip arp inspection li
SW1(config-if)#ip arp inspection limit ra
SW1(config-if)#ip arp inspection limit rate ?
  <0-2048>  Packets per second

SW1(config-if)#ip arp inspection limit no   
SW1(config-if)#ip arp inspection limit ra   
SW1(config-if)#ip arp inspection limit rate 2 
SW1(config-if)#ip arp inspection limit rate 2 burs
SW1(config-if)#ip arp inspection limit rate 2 burst inter
SW1(config-if)#ip arp inspection limit rate 2 burst interval ?
  <1-15>  Burst interval in seconds

SW1(config-if)#ip arp inspection limit rate 2 burst interval 1
SW1(config-if)#
*Mar  1 01:06:27.818: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/ffff.ffff.ffff/10.0.128.103/01:06:27 UTC Mon Mar 1 1993])
SW1(config-if)#ping 10.0.128.103
                ^
% Invalid input detected at '^' marker.

SW1(config-if)#
*Mar  1 01:07:01.053: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:00 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:03.067: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:02 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:05.080: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:04 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:07.093: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:06 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:09.107: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:08 UTC Mon Mar 1 1993])
SW1(config-if)#ip arp inspection limit rate 1 burst interval 1
SW1(config-if)#ping 10.0.128.103
                ^
% Invalid input detected at '^' marker.

SW1(config-if)#
*Mar  1 01:07:32.259: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:31 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:34.272: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:33 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:36.286: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:35 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:38.299: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:37 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:40.312: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:39 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:48.365: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/01:07:48 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:50.378: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/01:07:50 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:52.400: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/01:07:52 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:54.413: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/01:07:54 UTC Mon Mar 1 1993])
SW1(config-if)#
*Mar  1 01:07:56.225: %SW_DAI-4-PACKET_RATE_EXCEEDED: 2 packets received in 117 milliseconds on Fa1/0/3.
*Mar  1 01:07:56.225: %PM-4-ERR_DISABLE: arp-inspection error detected on Fa1/0/3, putting Fa1/0/3 in err-disable state
*Mar  1 01:07:56.427: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:07:56 UTC Mon Mar 1 1993])
*Mar  1 01:07:57.232: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed sta
SW1(config-if)#te to down
SW1(config-if)#
*Mar  1 01:07:58.239: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to down
SW1(config-if)#                 
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled) 
SW1(config-if)#shut                      
SW1(config-if)#shut
*Mar  1 01:17:22.515: %LINK-5-CHANGED: Interface FastEthernet1/0/3, changed state to administratively down
SW1(config-if)#shut
SW1(config-if)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is administratively down, line protocol is down (disabled) 
SW1(config-if)#no shut
SW1(config-if)#
*Mar  1 01:17:33.630: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to up
*Mar  1 01:17:34.637: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to up
SW1(config-if)#
*Mar  1 01:17:36.423: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/ffff.ffff.ffff/10.0.128.103/01:17:35 UTC Mon Mar 1 1993])
SW1(config-if)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is up, line protocol is up (connected) 
SW1(config-if)#
SW1(config-if)#
SW1(config-if)#
configure terminal
!
errdisable detect cause arp-inspection
errdisable recovery cause arp-inspection
errdisable recovery interval 30
!
end
SW1(config)#errdisable detect cause arp-inspection
SW1(config)#errdisable recovery cause arp-inspection
SW1(config)#errdisable recovery interval 30
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#sh int f1/0/3 | i 1/0/3
                 ^
% Invalid input detected at '^' marker.

SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is up, line protocol is up (connected) 
SW1(config)#de
SW1(config)#debu
SW1(config)#    
*Mar  1 01:23:38.987: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:23:38 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 01:23:40.732: %SW_DAI-4-PACKET_RATE_EXCEEDED: 2 packets received in 419 milliseconds on Fa1/0/3.
*Mar  1 01:23:40.732: %PM-4-ERR_DISABLE: arp-inspection error detected on Fa1/0/3, putting Fa1/0/3 in err-disable state
*Mar  1 01:23:41.017: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/01:23:40 UTC Mon Mar 1 1993])
*Mar  1 01:23:41.739: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed sta
SW1(config)#te to down
SW1(config)#
*Mar  1 01:23:42.746: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to down
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled) 
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled) 
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled) 
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is down, line protocol is down (err-disabled) 
SW1(config)#
*Mar  1 01:24:10.738: %PM-4-ERR_RECOVER: Attempting to recover from arp-inspection err-disable state on Fa1/0/3
SW1(config)#                          
*Mar  1 01:24:14.471: %LINK-3-UPDOWN: Interface FastEthernet1/0/3, changed state to up
SW1(config)#
*Mar  1 01:24:15.243: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/ffff.ffff.ffff/10.0.128.103/01:24:14 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 01:24:15.478: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0/3, changed state to up
SW1(config)#do sh int f1/0/3 | i 1/0/3
FastEthernet1/0/3 is up, line protocol is up (connected) 
SW1(config)#
SW1(config)#
SW1(config)#
SW1(config)#

validate arp

configure terminal
!
interface FastEthernet 1/0/3
 ip arp inspection validate src-mac dst-mac ip
!
end

I can't understand validate arp….

how to verify this command lab…

log-buffer

configure terminal
!
! log buffer configuration
ip arp inspection log-buffer logs 10 interval 10
ip arp inspection log-buffer entries 100
!
! packet type definition
ip arp inspection vlan 128 logging acl-match matchlog
ip arp inspection vlan 128 logging dhcp-bindings all
!
end
SW1#sh run | i arp inspection
ip arp inspection vlan 128
ip arp inspection vlan 128 logging acl-match matchlog
ip arp inspection vlan 128 logging dhcp-bindings all
ip arp inspection log-buffer entries 100
ip arp inspection log-buffer logs 10 interval 2
ip arp inspection filter ARP-VLAN128 vlan  128
 ip arp inspection trust
SW1(config)#
*Mar  1 00:10:14.566: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:14 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:10:16.579: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:16 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:10:18.592: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:18 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:10:20.605: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:20 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:10:22.619: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:10:22 UTC Mon Mar 1 1993])
SW1(config)#ip arp
SW1(config)#ip arp    
SW1(config)#ip arp inse
SW1(config)#ip arp insp
SW1(config)#ip arp inspection log
SW1(config)#ip arp inspection log-buffer entri
SW1(config)#ip arp inspection log-buffer entries ?
  <0-1024>  Number of entries for log buffer

SW1(config)#ip arp inspection log-buffer entries 100
SW1(config)#ip arp
SW1(config)#ip arp inspe
SW1(config)#ip arp inspection log
SW1(config)#ip arp inspection log-buffer log
SW1(config)#ip arp inspection log-buffer logs 10 inter
SW1(config)#ip arp inspection log-buffer logs 10 interval 2
SW1(config)#ip arp
SW1(config)#ip arp ins
SW1(config)#ip arp inspection vla
SW1(config)#ip arp inspection vlan 128 logg
SW1(config)#ip arp inspection vlan 128 logging ?
  acl-match      Logging of packets that match ACLs
  arp-probe      Log ARP probe packets with zero sender IP addr
  dhcp-bindings  Logging of packet that match DHCP bindings 

SW1(config)#ip arp inspection vlan 128 logging acl
SW1(config)#ip arp inspection vlan 128 logging acl-match ?
  matchlog  Log packets on ACE logging configuration
  none      Do not log packets that match ACLs

SW1(config)#ip arp inspection vlan 128 logging acl-match mat
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp-bi
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog dhcp-bi
SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog ?      
  <cr>

SW1(config)#ip arp inspection vlan 128 logging acl-match matchlog 
SW1(config)#ip arp
SW1(config)#ip arp inspe
SW1(config)#ip arp inspection vla
SW1(config)#ip arp inspection vlan 128 logg
SW1(config)#ip arp inspection vlan 128 logging ac
SW1(config)#ip arp inspection vlan 128 logging dhc       
SW1(config)#ip arp inspection vlan 128 logging dhcp-bindings ?
  all     Log all packets that match DHCP bindings
  none    Do not log packets that match DHCP bindings
  permit  Log DHCP Binding Permitted packets

SW1(config)#ip arp inspection vlan 128 logging dhcp-bindings all
SW1(config)#
*Mar  1 00:13:51.034: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.1/00:13:50 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:13:56.067: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.254/00:13:55 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:00.915: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:00 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:00.915: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:00 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:02.928: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:02 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:02.928: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:02 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:04.941: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:04 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:04.941: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:04 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:06.954: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:05 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:06.954: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:06 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:08.968: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Req) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/0000.0000.0000/10.0.128.103/00:16:08 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:08.968: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/001b.2a77.66d2/10.0.128.13/00:16:08 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:16:35.165: %SW_DAI-6-DHCP_SNOOPING_PERMIT: 1 ARPs (Res) on Fa1/0/1, vlan 128.([001b.2a77.66d2/10.0.128.13/001b.2131.139b/10.0.128.254/00:16:35 UTC Mon Mar 1 1993])
SW1(config)#

I can't understand log buffer means….

References

tech/network/cisco/dynamic-arp-inspection/dynamic-arp-inspection.txt · Last modified: 2019/09/21 13:04 by wnoguchi