Dynamic ARP Inspection Overview
Dynamic ARP Inspection Overview
Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP
packets. The feature prevents a class of man‐in‐the‐middle attacks where an unfriendly station
intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors.
ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by
broadcasting ARP responses in which the attacker claims to be someone else. By poisoning the
ARP cache, a malicious user can intercept the traffic intended for other hosts on the network.
The Dynamic ARP Inspection application performs ARP packet validation. When DAI is enabled,
it verifies that the sender MAC address and the source IP address are a valid pair in the DHCP
snooping binding database and drops ARP packets whose sender MAC address and sender IP
address do not match an entry in the database. Additional ARP packet validation can be
configured.
If DHCP snooping is disabled on the ingress VLAN or the receive interface is trusted for DHCP
snooping, ARP packets are dropped.
Functional Description
DAI is enabled on VLANs, effectively enabling DAI on the interfaces (physical ports or LAGs) that
are members of that VLAN. Individual interfaces are configured as trusted or untrusted. The trust
configuration for DAI is independent of the trust configuration for DHCP snooping. A trusted
port is a port the network administrator does not consider to be a security threat. An untrusted
port is one which could potentially be used to launch a network attack.
DAI considers all physical ports and LAGs untrusted by default.
Static Mappings
Static mappings are useful when hosts configure static IP addresses, DHCP snooping cannot be
run, or other switches in the network do not run dynamic ARP inspection. A static mapping
associates an IP address to a MAC address on a VLAN. DAI consults its static mappings before it
consults DHCP snooping — thus, static mappings have precedence over DHCP snooping
bindings.
ARP ACLs are used to define static mappings for DAI. In this implementation, only the subset of
ARP ACL syntax required for DAI is supported. ARP ACLs are completely independent of ACLs
used for QoS. A maximum of 100 ARP ACLs can be configured. Within an ACL, a maximum of 20
rules can be configured.
Optional ARP Packet Validation
If optional ARP packet validation has been configured, DAI verifies that the sender MAC address
equals the source MAC address in the Ethernet header. Additionally, the option to verify that the
target MAC address equals the destination MAC address in the Ethernet header can be
configured. This check only applies to ARP responses, since the target MAC address is
unspecified in ARP requests.
You can also enable IP address checking. When this option is enabled, DAI drops ARP packets
with an invalid IP address. The following IP addresses are considered invalid:
•
0.0.0.0
•
255.255.255.255
•
All IP multicast addresses
•
All class E addresses (240.0.0.0/4)
17-16 DHCP Snooping and Dynamic ARP Inspection