Mitigating ARP attacks
Dynamic ARP Inspection (DAI)
During an ARP attack, the actor can send unsolicited ARP replies to other hosts on the subnet with his MAC Address and the IP address of the default gateway. This is called ARP Spoofing (Fake MAC)
To prevent ARP Spoofing which will eventually result in ARP Poisoning, we must configure the switch to be sure that only valid ARP Requests and Replies go through.
Dynamic ARP Inspection (DAI) requires DHCP snooping and prevents ARP attacks by:
| Not forwarding invalid or unwanted ARP replies to other ports in the same VLAN |
| Intercepting all ARP Requests and Replies on untrusted interfaces |
| Verifying each intercepted packet for a valid IP to MAC binding |
| Dropping and logging ARP Replies coming as an invalid request to prevent ARP Poisoning |
| Putting the interface in an error-disabled state once the configured DAI number of ARP packets will be exceeded |
Dynamic ARP Inspection Implementation
To mitigate the chances of ARP Spoofing/poisoning, DAI can be implemented as follows:
| Step 1 |
| Enable DHCP Snooping globally |
| Step 2 |
| Enable DHCP Snooping on required VLANs. |
| Step 3 |
| Enable DAI on selected VLANs. |
| Step 4 |
| Configure trusted interfaces for DHCP Snooping and ARP Inspection. |
Enable DHCP Snooping globally
S1(config)# ip dhcp snooping
Enable DHCP Snooping on required VLANs
S1(config)# ip dhcp snooping vlan [vlan / vlan-range]
Enable DAI on selected VLANs
S1(config)# ip arp inspection [vlan / vlan-range]
Configure trusted interfaces for DHCP Snooping and ARP Inspection
S1(config)# interface [interface] S1(config-if)# ip dhcp snooping trust S1(config-if)# ip arp inspection trust
DAI Implementation Complete Configuration Example
S1> enable S1# configure terminal S1(config)# S1(config)# ip dhcp snooping S1(config)# S1(config)# ip dhcp snooping vlan 3,5-9 S1(config)# S1(config)# ip arp inspection vlan 3,5-9 S1(config)# S1(config)# interface range fa0/1 - 2 S1(config-if-range)# ip dhcp snooping trust S1(config-if-range)# ip arp inspection trust S1(config-if-range)# exit S1(config)# exit S1#
– We enabled DHCP Snooping using the global config command
– We enabled the configured DHCP Snooping mechanism on VLANs 3, 5, 6, 7, 8, and 9
– We also enabled the DAI mechanism on VLANs 3, 5, 6, 7, 8, and 9
– FastEthernet ports 0/1 to 0/2 are Trunk-Links so they were configured as “Trusted” on both DHCP Snooping and DAI
Dynamic Arp Inspection (DAI) can be configured to check for both destination or source MAC and IP Addresses
| Destination MAC |
| Will check the destination MAC Address in the Ethernet header against the target MAC Address in the ARP Body |
| Source MAC |
| Will check the source MAC Address in the Ethernet header against the sender MAC Address in the ARP Body |
| IP Address |
| Will check the ARP Body for invalid and unwanted IP Addresses including (0.0.0.0 and 255.255.255.255) and all IP Multicast Addresses |
You can configure DAI to drop ARP packets when IP Addresses are invalid. There is a command for that, and such command can be used when the MAC Addresses in the body of the ARP Packet do not match the addresses that are specified in the Ethernet header.
Configuring DAI to drop ARP packets when Source MAC Address is invalid
S1(config)# ip arp inspection validate src-mac
Configuring DAI to drop ARP packets when Destination MAC Address is invalid
S1(config)# ip arp inspection validate dst-mac
Configuring DAI to drop ARP packets when IP Addresses are invalid
S1(config)# ip arp inspection validate ip
[NOTE] If you want to include 2 or more validation methods, you must enter all the methods required in the same command line. Each single line “ip arp inspection validate” command will overwrite the previous command.
Configuring multiple DAI validations
S1(config)# ip arp inspection validate src-mac dst-mac ip
Configuring multiple DAI validations Complete Configuration Example
S1> enable S1# configure terminal S1# S1(config)# ip arp inspection validate src-mac dst-mac ip S1(config)# exit S1(config)#