Dynamic ARP Inspection (DAI)

Owned by Tracy Yang
Mar 19, 2024
5 min read


Introduction

The ARP Inspection feature is used to defend against man-in-the-middle attack scenarios, preventing ARP table entries to be maliciously modified by a forged ARP message sent by an attacker.

Trust Port

ARP inspection divides interfaces into ARP trusted and untrusted ports. On trusted ports, the system does not perform ARP inspection on incoming ARP messages, allowing the ARP messages to pass. However, ARP inspection is required for ARP messages received on the untrusted port interface.

By default, all the interfaces are untrusted ports. You can use the command set protocols arp inspection trust-port <port-name> to configure an interface as trusted port and use run show arp inspection interface to show the trust state of all the interfaces for ARP inspection.

ARP Inspection contains two functions: ARP message validity checking and user legitimacy checking.

ARP Packets Validity Checking

For ARP trusted ports, packets validity checking is not performed; for ARP untrusted ports, the system checks the validity of MAC address and IP address in the ARP packets:

  • Check that if the source MAC address in the ARP message and the source MAC address in the Ethernet header are consistent. If so, pass, otherwise discard.
  • Check if the source MAC address in the ARP message is all 0 or all 1. All 0 and all 1 source MAC addresses are invalid and the message will be discarded.
  • Check if the source IP in the ARP message is all 0, all 1, or the multicast IP address, these IP addresses are invalid and the message will be discarded.

User Legitimacy Checking

For ARP trusted ports, user legitimacy checking is not performed; for ARP untrusted ports, a user legitimacy checking is performed to prevent attacks from spoofing users.

ARP inspection user legitimacy checking is to check the validity of ARP message which supports two of the following implementation and application modes:

1.  Dynamic ARP inspection based on DHCP snooping binding table. DHCP snooping is required in this scenario.

However, if ARP inspection is enabled in the VLAN with DHCP relay enabled, DHCP snooping is also required in this same VLAN for ARP inspection to work properly. The system uses the DHCP snooping table to generate ARP entries for ARP inspection.

You can run the command run show ARP inspection dhcp-binding to view the ARP entries generated from the DHCP snooping and DHCP relay table.

2.  ARP access lists for non-DHCP environments which needs the administrator to configure by CLI commands.

When the switch receives an ARP message, it compares the source IP address and source MAC address of the ARP message with the entries in the ARP access lists (if configured) and the DHCP binding table:

  • If the message matches, the user who sent the ARP message is considered as a legitimate user and allows the ARP message to pass.
  • Otherwise, it is considered as an attack and the ARP message is discarded.

run show arp inspection statistics vlan command displays the statistics of ARP inspection, such as, discarded and permitted ARP packets.

NOTE:

  •  If both ARP access lists and dynamic ARP inspection are enabled, the system checks ARP access lists first, if there is no match then the system checks DHCP binding table.
  •  When ARP inspection is enabled on MLAG peers, we recommend that you don’t enable ARP inspection in the peer-link VLAN which is dedicated to transmitting MLAG control plane messages.

However, if ARP inspection is enabled in peer link VLAN, an ARP access list must be configured by the following commands for ARP inspection to make MLAG work normally,

set protocols arp inspection access-list <acl-name> ip <ipv4-addr> mac-address <mac-addr>

set protocols arp inspection vlan <peer-vlan-id> access-list <acl-name>

where IP, MAC address and VLAN should be configured as the corresponding values of peer link port on the MLAG peer device.

Configuring Dynamic ARP Inspection

Dynamic ARP Inspection checks ARP messages based on DHCP binding table. Therefore, you need to enable the DHCP snooping function for this feature to work properly.

Procedure

Step1         Enable ARP inspection in a VLAN.

   set protocols arp inspection vlan <vlan-id> disable <true | false>

Step2         Enable DHCP snooping.

   a) Enable DHCP snooping in a VLAN.

   set protocols dhcp snooping vlan <vlan-iddisable <true | false>

   b) Configure the interface connected to the DHCP server as DHCP snooping trusted interface.

   set protocols dhcp snooping trust-port <interface-name>

Step3         (Optional) Configure an interface as a trust port on which ARP inspection will not be implemented.

   set protocols arp inspection trust-port <port-name>

Step4         Commit the configurations.

   commit

Example for Configuring Dynamic ARP Inspection

Networking Requirements

  • On Pica8 Switch, the interfaces ge-1/1/1 and ge-1/1/2 are in VLAN 2.
  • Enable DHCP snooping on VLAN 2.
  • Configure the interface connected to the DHCP server (ge-1/1/2) as the DHCP snooping trust interface.
  • To prevent man-in-the-middle attacks and prevent the ARP table entries of legitimate users on the device being maliciously modified, enable ARP inspection in VLAN 2.

 Figure 1 Dynamic ARP Inspection Network

Procedure

Step1         Configure VLAN.

admin@XorPlus# set vlans vlan-id 2
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 2
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 2

Step2         Enable ARP inspection in VLAN 2.

admin@Xorplus# set protocols arp inspection vlan 2 disable false

Step3         Enable DHCP snooping.

admin@XorPlus# set protocols dhcp snooping vlan 2 disable false
admin@XorPlus# set protocols dhcp snooping trust-port ge-1/1/2

Step4         Commit the configurations.

admin@XorPlus# commit

Step5        Verify the configurations.

  • Run the command run show arp inspection vlan <vlan-id> to display ARP inspection configured information of a VLAN.
admin@Xorplus# run show arp inspection vlan 2
Vlan  Configuration      Static ACL
----   -------------     ----------
2     Enabled            -
  • Run therun show arp inspection dhcp-binding command to view the ARP inspection table. This table includes the ARP entries generated from the DHCP snooping or DHCP relay table.
admin@Xorplus# run show arp inspection dhcp-binding
Vlan  IP Address        Mac Address
----  ---------------  -----------------
 2    100.1.1.1         14:18:77:18:2c:b9

Configuring ARP Inspection Access List

ARP inspection supports to statically configure ARP access lists through CLI commands in non-DHCP environments, so it does not require to enable DHCP snooping.

NOTE:

When configuring the ARP access list for ARP Inspection, the same IP-MAC cannot exist in multiple access lists.

Procedure

Step1         Enable ARP inspection in a VLAN.

   set protocols arp inspection vlan <vlan-id> disable <true | false>

Step2         Configure ARP access list for ARP inspection.

   set protocols arp inspection access-list <acl-name> ip <ipv4-addr> mac-address <mac-addr>

Step3         Apply the ARP inspection access list to a VLAN.

   set protocols arp inspection vlan <vlan-id> access-list <acl-name>

Step4        (Optional) Configure an interface as a trust port on which ARP inspection will not be implemented.

   set protocols arp inspection trust-port <port-name>

Step5         Commit the configurations.

   commit

Example for Configuring Static ARP Inspection

Configuring ARP access lists is an effective defense against man-in-the-middle attacks and preventing ARP table entries of legitimate users on the device being maliciously modified.

Step1         Configure VLAN.

admin@XorPlus# set vlans vlan-id 100
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 family ethernet-switching native-vlan-id 100
admin@XorPlus# set interface gigabit-ethernet ge-1/1/2 family ethernet-switching native-vlan-id 100

Step2         Enable ARP inspection in VLAN 100.

admin@Xorplus# set protocols arp inspection vlan 100 disable false

Step3         Configure ARP inspection static access list.

admin@Xorplus# set protocols arp inspection access-list test1 ip 10.0.0.1 mac-address 00:B0:BC:00:00:00

Step4         Apply the ARP inspection access list to a VLAN.

admin@Xorplus# set protocols arp inspection vlan 100 access-list test1

Note that:

Configure the access-list first and then apply to a VLAN, otherwise it will prompt access-list does not exist when committing this command.

Step5         Commit the configurations.

admin@XorPlus# commit

Step6         Verify the configurations.

  • Run the command run show arp inspection vlan <vlan-id> to display ARP inspection configured information of a VLAN.
admin@Xorplus# run show arp inspection vlan 100
Vlan  Configuration      Static ACL
----   -------------     ----------
100     Enabled          test1
  • Run command run show arp inspection vlan <vlan-id> access-list <acl-name> to display the information for ARP inspection static access list.
admin@Xorplus# run show arp inspection access-list test1
Static ACL  IP Address       Mac Address
----------  ---------------  -----------------
Test1       10.0.0.1         00:B0:BC:00:00:00
Static ACL  Applied Vlans
----------  -------------------
Test1       100

Copyright © 2024 Pica8 Inc. All Rights Reserved.