Use DAI to configure DHCP Snooping

In previous articles, we have explained the technology and configuration of DHCP Snooping. Here we will mainly explain how to use DAI to configure DHCP Snooping. First, let's take a look at this dynamic relationship and see how the two are associated.

Use DAIdynamic arp inspection)

Cisco Dynamic ARP Inspection (DAI) provides IP address and MAC Address binding on the switch, and dynamically establishes the binding relationship. DAI is based on the DHCP Snooping binding table. For servers that do not use DHCP, you can use static ARP access-list. The DAI configuration is for VLANs. You can enable or disable DAI for interfaces in the same VLAN. You can use DAI to control the number of arp request packets on a port. These technologies can be used to prevent man-in-the-middle attacks.

Configuration example

IOS global command:

 
 

  
  
Ip dhcp snooping vlan 100,200
  
  
No ip dhcp snooping information option
  
  
Ip dhcp snooping
  
  
Ip arp inspection vlan 100,200/* defines which VLANs are used for ARP packet Detection
  
  
Ip arp inspection log-buffer entries 1024
  
  
Ip address arp inspection log-buffer logs 1024 interval 10
 
 

IOS interface command:

 
 

  
  
Ip dhcp snooping trust
  
  
Ip arp inspection trust/* defines which interfaces are trusted interfaces, such as network device interfaces and TRUNK interfaces.
  
  
Ip arp inspection limit rate 15 (pps)/* defines the number of ARP packets per second on the Interface
 
 

If no DHCP device is used, use the following method:

 
 

  
  
arp access-list static-arp   
  
  
permit ip host 10.66.227.5 mac host 0009.6b88.d387   
  
  
ip arp inspection filter static-arp vlan 201  
 
 

Effect after DAI Configuration:

On interfaces configured with the DAI technology, users cannot access the network using unspecified addresses.

Because DAI checks the relationship between IP addresses and MAC addresses in the DHCP snooping binding table, man-in-the-middle attacks cannot be implemented and the attack tool becomes invalid. The following table lists the switch warnings for man-in-the-middle attacks:

 
 

  
  
3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/16, vlan 1.([000b.db1d.6ccd/192.168.1.200/0000.0000.0000/192.168.1.2 
 
 

Due to the speed limit imposed on arp request packets, the client cannot scan or detect IP addresses that are considered or viruses. If such behavior occurs, the switch immediately sends an alarm or directly disconnects the scanning machine. See the following table:

 
 

  
  
3w0d: % SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on Fa5/30. ***** alert
  
  
3w0d: % PM-4-ERR_DISABLE: arp-inspection error detected on Fa5/30, putting Fa5/30 in err-disable state ***** disconnect the port
  
  
I49-4500-1 #... sh int f.5/30
  
  
FastEthernet5/30 is down, line protocol is down (err-disabled)
  
  
Hardware is Fast Ethernet Port, address is 0002. b90e. 3f 4d (bia 0002. b90e. 3f 4d)
  
  
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
  
  
Reliability 255/255, txload 1/255, rxload 1/255
  
  
I49-4500-1 #......
 
 

After a user obtains an IP address, the user cannot modify the IP address or MAC address. If the user simultaneously modifies the IP address and MAC address, the user must be a valid IP address and MAC address in the network.