16 May 2010

Using Dynamic ARP Inspection

The DHCP snooping feature dynamically builds a DHCP binding
table, which contains the MAC addresses associated with specific
IP addresses. Additionally, this feature supports static MAC address
to IP address mappings, which might be appropriate for network
devices, such as routers. This DHCP binding table can be used by
the Dynamic ARP Inspection (DAI) feature to help prevent Address
Resolution Protocol (ARP) spoofing attacks.

Recall the purpose of ARP requests. When a network device needs
to determine the MAC address that corresponds to an IP address,
the device can send an ARP request. The target device replies to
the requesting device with an ARP reply. The ARP reply contains
the requested MAC address.

Attackers can attempt to launch an attack by sending gratuitous
ARP (GARP) replies. These GARP messages can tell network devices
that the attacker’s MAC address corresponds to specific IP addresses.
For example, the attacker might be able to convince a PC that the
attacker’s MAC address is the MAC address of the PC’s default
gateway. As a result, the PC starts sending traffic to the attacker.
The attacker captures the traffic and then forwards the traffic to
the appropriate default gateway.

To illustrate, consider Figure Below. PC1 is configured with a
default gateway of However, the attacker sends GARP
messages to PC1, telling PC1 that the MAC address corresponding
to is BBBB.BBBB.BBBB, which is the attacker’s MAC
address. Similarly, the attacker sends GARP messages to the default
gateway, claiming that the MAC address corresponding to PC1’s IP
address of is BBBB.BBBB.BBBB. This ARP cache
poisoning causes PC1 and Router1 to exchange traffic via the attacker’s PC.
Therefore, this type of ARP spoofing attack is considered to be a
man-in-the-middle attack.

Networks can be protected from ARP spoofing attacks using the
DAI feature. DAI works similarly to DHCP snooping by using trusted
and untrusted ports. ARP replies are allowed into the switch on
trusted ports. However, if an ARP reply enters the switch on an
untrusted port, the contents of the ARP reply are compared to the
DHCP binding table to verify its accuracy. If the ARP reply is incon-
sistent with the DHCP binding table, the ARP reply is dropped, and
the port is disabled.

The first step in configuring DAI is to enable DAI for one or more
VLANs. For example, to enable DAI for VLAN 100, enter the
following global configuration mode command:

SW3550(config)# ip arp inspection vlan 100

By default, the DAI feature considers all switch ports to be untrusted
ports. Therefore, trusted ports must be explicitly configured. These
trusted ports are the ports on which ARP replies are expected. For
example, to configure port Gigabit 0/6 to be a DAI trusted port, use
the following syntax:

SW3550(config)# interface gigabitethernet 0/6
SW3550(config-if)# ip arp inspection trust

See Also:

[*] ARP Attack Examples

[*] DHCP Snooping

CCNA Security Official Exam Certification Guide (Exam 640-553)


No comments: