PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:dynamic-arp-inspection:dynamic-arp-inspection

This is an old revision of the document!


Cisco: Dynamic ARP inspection(DAI)

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.2 Network security
          • 5.2.a [v] Dynamic ARP inspection
    • Lab v5.0
      • 4.0 Infrastructure Security
        • 4.2 Network security
          • 4.2.a [v] Dynamic ARP inspection

Dynamic ARP inspection Lab(DHCP)

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
interface FastEthernet 1/0/24
 ip dhcp snooping trust
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

Dynamic ARP inspection Lab(Static)

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip arp inspection vlan 128
!
arp access-list HOST-R2
 permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter HOST-R2 vlan 128
!
interface FastEthernet 1/0/24
 ip dhcp snooping trust
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

DAI x IP source-guard Lab

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
ip source binding 0024.c431.126e vlan 128 10.0.128.102 interface FastEthernet 1/0/2
!
interface range FastEthernet 1/0/1 - 3
 ip verify source
exit
interface FastEthernet 1/0/24
 ip dhcp snooping trust
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

References

tech/network/cisco/dynamic-arp-inspection/dynamic-arp-inspection.1568627445.txt.gz · Last modified: 2019/09/16 18:50 by wnoguchi