Dynamic ARP Inspection

Done

DIA (Dynamic ARP Inspection) is a feature in Cisco Switches, similar to DHCP Snooping. There is trusted and untrusted ports, and the ARP messages that are received in those untrusted ports will be inspected to decide if it should be discarded or not.

Differently from DHCP Snooping, Cisco recommends that the trusted ports be all ports that are connected to an infrastructure device (switches, routers), so not only uplinks.

A ARP Poisoning attack (ARP Spoofing) works by using Gratuitous ARP messages, which are essentially ARP replies, but Broadcast. Therefore it will update the ARP Tables of everyone in the LAN with the IP Address it specified. Think for a moment, it could use its MAC Address as the Sender MAC Address in the ARP field and the legitimate Default Gateway IP Address as the Sender IP Address. Therefore, it would impersonate the Default Gateway, making the devices send traffic to it instead of the legitimate Default Gateway.

How DAI Works

DAI will inspect all ARP messages, and ARP messages only, entering its untrusted interfaces. It will discard a packet if:

Sender MAC/IP doesn`t match the any entry in the DHCP Snooping Binding Table

Sender MAC/IP doesn`t match any entry in the ARP ACL

ARP messages reach the limit configured (15 per second by default).

(Optional) Destination MAC (Ethernet Header) matches the Target MAC (ARP Header)

(Optional) Sender or Target uses any invalid IP Address (i.e. 0.0.0.0)

(Optional) Source MAC (Ethernet Header) matches the Sender MAC (ARP Header)

Configure

Enable DAI

configure terminal
ip arp inspection vlan {vlan-id}

Select Interface and trust it

interface range g0/1 - 2 //EXAMPLE
ip arp inspection trust

(OPTIONAL) Change the Rate Limit

ip arp inspection limit rate {arp-messages} [burst interval {seconds}]

(OPTIONAL) Validate more

ip arp inspection validate {dst-mac | ip | src-mac}

💡

NOTE: The burst interval is used to define how many per y seconds. So the full sentence would be limit the rate to how many x ARP messages per y seconds.

Configure and set ACLs

Create ARP ACL and configure it

configure terminal
arp access-list {ACL-NAME}
permit ip host {ip} mac host {mac-address}

Apply it to the interface

interface g0/1
ip arp inspection filter {ACL-NAME} vlan {vlan-id}

Show messages

Show interfaces with DAI

show ip arp inspection interfaces

See DAI Statistics

show ip arp inspection