Sunday 7 February 2016

Setting up Dynamic ARP Inspection (DAI)

DAI is a mechanism that is applied to prevent ARP spoofing by intercepting any ARP packets and ensure that the IP to MAC association is valid (on untrusted ports) - it does this by checking the DHCP snooping binding database.

If it identifies a bad (spoofed) ARP packet it will simply drop the packet before it is forwarded or added to the CAM table.

DAI is enabled on a per VLAN basis with:
ip arp inspection vlan 100
and then to verify the configuration:
show ip arp inspection vlan 100
We can also set a limit of maximum arp requests received per second - by default this is usually 10 - however on busy networks I usually like to increase this to 100 - however this will vary greatly of course dependent on your network!

int range gi0/1-48
ip arp inspection limit rate 100

By default all ports are untrusted but if for example we had a trunk to another switch that was hooked up to a load of servers with statically assigned IP's we  might wish to trust a port:
int g0/15
ip arp inspection trust
Now since it is reliant on the DHCP snooping binding database any static IP's will be absent and when DAI is enabled you will see something like the following in the logs:

*Mar  1 00:44:05.783: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/4, vlan 100.([0001.807c.1234/ UTC Mon Mar 1 1993])

So in order to exclude these hosts configured with static IP's (for example routers, servers, printers etc.) we can create an arp ACL inside a DAI filter:
arp access-list mydaifilter
permit ip host mac host 54ee.7534.1234
and then apply the filter:
ip arp inspection filter mydaifilter vlan 100 
and to verify the entry we can use:
show ip arp inspection vlan 100 
Finally we can check up and see whether any ARP packets are being dropped by defining a buffer size and turning on the logging with:
conf t
ip arp inspection log-buffer entries 512
and then review the log with something like:
show ip arp inspection log


Post a Comment