Dynamic ARP Inspection (DAI)
Introduction
The ARP Inspection feature is used to defend against man-in-the-middle attack scenarios, preventing ARP table entries to be maliciously modified by a forged ARP message sent by an attacker.
Trust Port
ARP inspection divides interfaces into ARP trusted and untrusted ports. On trusted ports, the system does not perform ARP inspection on incoming ARP messages, allowing the ARP messages to pass. However, ARP inspection is required for ARP messages received on the untrusted port interface.
By default, all the interfaces are untrusted ports. You can use the command set protocols arp inspection trust-port <port-name> to configure an interface as trusted port and use run show arp inspection interface to show the trust state of all the interfaces for ARP inspection.
ARP Inspection contains two functions: ARP message validity checking and user legitimacy checking.
ARP Packets Validity Checking
For ARP trusted ports, packets validity checking is not performed; for ARP untrusted ports, the system checks the validity of MAC address and IP address in the ARP packets:
- Check that if the source MAC address in the ARP message and the source MAC address in the Ethernet header are consistent. If so, pass, otherwise discard.
- Check if the source MAC address in the ARP message is all 0 or all 1. All 0 and all 1 source MAC addresses are invalid and the message will be discarded.
- Check if the source IP in the ARP message is all 0, all 1, or the multicast IP address, these IP addresses are invalid and the message will be discarded.
User Legitimacy Checking
For ARP trusted ports, user legitimacy checking is not performed; for ARP untrusted ports, a user legitimacy checking is performed to prevent attacks from spoofing users.
ARP inspection user legitimacy checking is to check the validity of ARP message which supports two of the following implementation and application modes:
1. Dynamic ARP inspection based on DHCP snooping binding table. DHCP snooping is required in this scenario.
However, if ARP inspection is enabled in the VLAN with DHCP relay enabled, DHCP snooping is also required in this same VLAN for ARP inspection to work properly. The system uses the DHCP relay table to generate ARP entries for ARP inspection.
You can run the command run show ARP inspection dhcp-binding to view the ARP entries generated from the DHCP snooping and DHCP relay table.
2. ARP access lists for non-DHCP environments which needs the administrator to configure by CLI commands.
When the switch receives an ARP message, it compares the source IP address and source MAC address of the ARP message with the entries in the ARP access lists (if configured) and the DHCP binding table:
- If the message matches, the user who sent the ARP message is considered as a legitimate user and allows the ARP message to pass.
- Otherwise, it is considered as an attack and the ARP message is discarded.
run show arp inspection statistics vlan command displays the statistics of ARP inspection, such as, discarded and permitted ARP packets.
NOTE:
However, if ARP inspection is enabled in peer link VLAN, an ARP access list must be configured by the following commands for ARP inspection to make MLAG work normally, set protocols arp inspection access-list <acl-name> ip <ipv4-addr> mac-address <mac-addr> set protocols arp inspection vlan <peer-vlan-id> access-list <acl-name> where IP, MAC address and VLAN should be configured as the corresponding values of peer link port on the MLAG peer device. |
Configuring Dynamic ARP Inspection
Dynamic ARP Inspection checks ARP messages based on DHCP binding table. Therefore, you need to enable the DHCP snooping function for this feature to work properly.
Procedure
Step1 Enable ARP inspection in a VLAN.
set protocols arp inspection vlan <vlan-id> disable <true | false>
Step2 Enable DHCP snooping.
a) Enable DHCP snooping in a VLAN.
set protocols dhcp snooping vlan <vlan-id> disable <true | false>
b) Configure the interface connected to the DHCP server as DHCP snooping trusted interface.
set protocols dhcp snooping trust-port <interface-name>
Step3 (Optional) Configure an interface as a trust port on which ARP inspection will not be implemented.
set protocols arp inspection trust-port <port-name>
Step4 Commit the configurations.
commit
Example for Configuring Dynamic ARP Inspection
Networking Requirements
- On Pica8 Switch, the interfaces ge-1/1/1 and ge-1/1/2 are in VLAN 2.
- Enable DHCP snooping on VLAN 2.
- Configure the interface connected to the DHCP server (ge-1/1/2) as the DHCP snooping trust interface.
- To prevent man-in-the-middle attacks and prevent the ARP table entries of legitimate users on the device being maliciously modified, enable ARP inspection in VLAN 2.
Figure 1 Dynamic ARP Inspection Network
Procedure
Step1 Configure VLAN.
admin@XorPlus# set vlans vlan-id 2 admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 2 admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 2
Step2 Enable ARP inspection in VLAN 2.
admin@Xorplus# set protocols arp inspection vlan 2 disable false
Step3 Enable DHCP snooping.
admin@XorPlus# set protocols dhcp snooping vlan 2 disable false admin@XorPlus# set protocols dhcp snooping trust-port ge-1/1/2
Step4 Commit the configurations.
admin@XorPlus# commit
Step5 Verify the configurations.
- Run the command run show arp inspection vlan <vlan-id> to display ARP inspection configured information of a VLAN.
admin@Xorplus# run show arp inspection vlan 2 Vlan Configuration Static ACL ---- ------------- ---------- 2 Enabled -
- Run therun show arp inspection dhcp-binding command to view the ARP inspection table. This table includes the ARP entries generated from the DHCP snooping or DHCP relay table.
admin@Xorplus# run show arp inspection dhcp-binding Vlan IP Address Mac Address ---- --------------- ----------------- 2 100.1.1.1 14:18:77:18:2c:b9
Configuring ARP Inspection Access List
ARP inspection supports to statically configure ARP access lists through CLI commands in non-DHCP environments, so it does not require to enable DHCP snooping.
NOTE: When configuring the ARP access list for ARP Inspection, the same IP-MAC cannot exist in multiple access lists. |
Procedure
Step1 Enable ARP inspection in a VLAN.
set protocols arp inspection vlan <vlan-id> disable <true | false>
Step2 Configure ARP access list for ARP inspection.
set protocols arp inspection access-list <acl-name> ip <ipv4-addr> mac-address <mac-addr>
Step3 Apply the ARP inspection access list to a VLAN.
set protocols arp inspection vlan <vlan-id> access-list <acl-name>
Step4 (Optional) Configure an interface as a trust port on which ARP inspection will not be implemented.
set protocols arp inspection trust-port <port-name>
Step5 Commit the configurations.
commit
Example for Configuring Static ARP Inspection
Configuring ARP access lists is an effective defense against man-in-the-middle attacks and preventing ARP table entries of legitimate users on the device being maliciously modified.
Step1 Configure VLAN.
admin@XorPlus# set vlans vlan-id 100 admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 100 admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 100
Step2 Enable ARP inspection in VLAN 100.
admin@Xorplus# set protocols arp inspection vlan 100 disable false
Step3 Configure ARP inspection static access list.
admin@Xorplus# set protocols arp inspection access-list test1 ip 10.0.0.1 mac-address 00:B0:BC:00:00:00
Step4 Apply the ARP inspection access list to a VLAN.
admin@Xorplus# set protocols arp inspection vlan 100 access-list test1
Note that:
Configure the access-list first and then apply to a VLAN, otherwise it will prompt access-list does not exist when committing this command.
Step5 Commit the configurations.
admin@XorPlus# commit
Step6 Verify the configurations.
- Run the command run show arp inspection vlan <vlan-id> to display ARP inspection configured information of a VLAN.
admin@Xorplus# run show arp inspection vlan 100 Vlan Configuration Static ACL ---- ------------- ---------- 100 Enabled test1
- Run command run show arp inspection vlan <vlan-id> access-list <acl-name> to display the information for ARP inspection static access list.
admin@Xorplus# run show arp inspection access-list test1 Static ACL IP Address Mac Address ---------- --------------- ----------------- Test1 10.0.0.1 00:B0:BC:00:00:00 Static ACL Applied Vlans ---------- ------------------- Test1 100
Copyright © 2024 Pica8 Inc. All Rights Reserved.