PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:dynamic-arp-inspection:dynamic-arp-inspection

This is an old revision of the document!


Cisco: Dynamic ARP inspection(DAI)

Blueprint

  • CCIE R&S
    • Written v5.1
      • 5.0 Infrastructure Security
        • 5.2 Network security
          • 5.2.a [v] Dynamic ARP inspection
    • Lab v5.0
      • 4.0 Infrastructure Security
        • 4.2 Network security
          • 4.2.a [v] Dynamic ARP inspection

Dynamic ARP inspection Lab(DHCP Environment)

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
interface FastEthernet 1/0/24
 ip dhcp snooping trust
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

  • SW1
monitor session 1 source interface FastEthernet 1/0/3
monitor session 1 destination interface FastEthernet 1/0/12

SW1 Console Log

  1. ARP Request is reachable if trust, or untrust port anyway.
  2. but ARP reply dropped by switch if dhcp snooping binding not found.

Dynamic ARP inspection Lab(None DHCP Environment)

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip arp inspection vlan 128
!
arp access-list ARP-VLAN128
 permit ip host 10.0.128.101 mac host 001b.2a77.66d2 log
 permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface FastEthernet 1/0/24
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

  • SW1
monitor session 1 source interface FastEthernet 1/0/3
monitor session 1 destination interface FastEthernet 1/0/12

SW1 Console Log

  1. ARP request also untrust port not binding found is blocked
R3#ping 10.0.128.254
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.128.254, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW1(config)#
*Mar  1 00:08:24.834: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:24 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:08:26.848: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:26 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:08:28.861: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:28 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:08:30.874: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:30 UTC Mon Mar 1 1993])
SW1(config)#
*Mar  1 00:08:32.887: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa1/0/3, vlan 128.([0021.a009.487c/10.0.128.103/0000.0000.0000/10.0.128.254/00:08:32 UTC Mon Mar 1 1993])
SW1(config)#

DAI x IP source-guard Lab

Base Configuration

  • SW1
configure terminal
!
vtp mode transparent
!
vlan 128
exit
!
ip routing
!
spanning-tree portfast default
!
interface range FastEthernet 1/0/1 - 3
 switchport mode access
 switchport access vlan 128
exit
interface FastEthernet 1/0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 128
exit
!
end
  • R1
configure terminal
!
interface FastEthernet 0/0
 ip address dhcp
 no shutdown
!
end
  • R2
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.102 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end
  • R3
configure terminal
!
interface FastEthernet 0/0
 no shutdown
!
end

Dynamic ARP inspection Configuration

  • SW1
configure terminal
!
ip dhcp snooping
ip dhcp snooping vlan 128
ip arp inspection vlan 128
!
ip dhcp snooping information option
!
ip source binding 0024.c431.126e vlan 128 10.0.128.102 interface FastEthernet 1/0/2
!
arp access-list ARP-VLAN128
 permit ip host 10.0.128.102 mac host 0024.c431.126e log
exit
!
ip arp inspection filter ARP-VLAN128 vlan 128
!
interface range FastEthernet 1/0/1 - 3
 ip verify source
exit
interface FastEthernet 1/0/24
 ip dhcp snooping trust
 ip arp inspection trust
exit
!
end
  • R3(Attacker)
configure terminal
!
interface FastEthernet 0/0
 ip address 10.0.128.10 255.255.255.0
 no shutdown
!
ip route 0.0.0.0 0.0.0.0 10.0.128.1
!
end

Verification

SW1 Console Log

  • I think anti IP spoofing problem, DAI is satisfied requirements…

References

tech/network/cisco/dynamic-arp-inspection/dynamic-arp-inspection.1568760703.txt.gz · Last modified: 2019/09/18 07:51 by wnoguchi