Interface Trust State, Security Coverage And Network Configuration - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 58 Configuring Dynamic ARP Inspection
About Dynamic ARP Inspection

Interface Trust State, Security Coverage and Network Configuration

DAI associates a trust state with each interface on the system. Packets arriving on trusted interfaces
bypass all DAI validation checks, while those arriving on untrusted interfaces go using the DAI
validation process. In a typical network configuration for DAI, all ports connected to host ports are
configured as untrusted, while all ports connected to switches are configured as trusted. With this
configuration, all ARP packets entering the network from a given switch pass the security check.
Figure 58-2 Validation of ARP Packets on a DAI-Enabled VLAN
DHCP server
Switch S1 Switch S2
Fa6/3 Fa3/3
Fa6/4 Fa3/4
Host H1 Host H2
Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be
trusted can result in a loss of connectivity. If we assume that both S1 and S2 (in Figure 58-2) run DAI
on the VLAN ports that contains H1 and H2, and if H1 and H2 were to acquire their IP addresses from
the DHCP server connected to S1, then only S1 binds the IP to MAC address of H1. If the interface
between S1 and S2 is untrusted, the ARP packets from H1 get dropped on S2. This condition would
result in a loss of connectivity between H1 and H2.
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the
network. If S1 were not running DAI, then H1 can easily poison the ARP of S2 (and H2, if the inter-
switch link is configured as trusted). This condition can occur even though S2 is running DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the
ARP caches of other hosts in the network. It does not, however, ensure that hosts from other portions of
the network do not poison the caches of the hosts connected to it.
To handle cases in which some switches in a VLAN run DAI and other switches do not, the interfaces
connecting such switches should be configured as untrusted. To validate the bindings of packets from
non-DAI switches, however, the switch running DAI should be configured with ARP ACLs. When it is
not feasible to determine such bindings, switches running DAI should be isolated from non-DAI
switches at Layer 3.
Depending on the set up of the DHCP server and the network, it may not be possible to perform
Note
validation of a given ARP packet on all switches in the VLAN.
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
58-3