Friday, June 5, 2009

Protecting from ARP attack – Dynamic ARP Inspection (DAI)

My environment: Cisco Catalyst 3560E
IOS: c3560e-universal-mz.122-35.SE5.bin

Before a PC can talk to another PC, it must do an ARP request to map the IP address to a MAC address.

For example:

Client A (ARP Request Broadcast): Who is

Client B (ARP Reply): I am, mac address B

A client can send out unsolicited reply (gratuitous ARP) according to the ARP RFC.  That means anyone can claim to be the owner of any IP-MAC address pair.  ARP attack is using this to poison the ARP cache on switch and redirect the traffic.

Dynamic ARP inspection is a security feature to protect from ARP attack based on DHCP snooping binding database. 

! Global Command
ip arp inspection vlan 168,201

! Interface that you want to trust
ip arp inspection trust

! Default untrust
no ip arp inspection trust

For those host with static IP address (not get address from DHCP server), their information will not be stored in the DHCP binding table therefore you will get reject message on the console.

Jun  5 12:31:40.734 HKT: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi0/4, vlan 201.([000c.29f2.6a88/ HKT Fri Jun 5 2009])

In that case you’ll need to create an ARP access-list to allow static address hosts:

! Define ARP ACL
pandaeatsbamboo-sw01(config)#arp access-list allow-arp
pandaeatsbamboo-sw01(config-arp-nacl)#permit ip host mac any

! Apply ARP ACL to DAI
pandaeatsbamboo-sw01(config)#ip arp inspection filter allow-arp vlan 201

No comments: