Use DAI to configure DHCP Snooping

Source: Internet
Author: User

In previous articles, we have explained the technology and configuration of DHCP Snooping. Here we will mainly explain how to use DAI to configure DHCP Snooping. First, let's take a look at this dynamic relationship and see how the two are associated.

Use DAIdynamic arp inspection)

Cisco Dynamic ARP Inspection (DAI) provides IP address and MAC Address binding on the switch, and dynamically establishes the binding relationship. DAI is based on the DHCP Snooping binding table. For servers that do not use DHCP, you can use static ARP access-list. The DAI configuration is for VLANs. You can enable or disable DAI for interfaces in the same VLAN. You can use DAI to control the number of arp request packets on a port. These technologies can be used to prevent man-in-the-middle attacks.

Configuration example

IOS global command:

 
 
  1. Ip dhcp snooping vlan 100,200
  2. No ip dhcp snooping information option
  3. Ip dhcp snooping
  4. Ip arp inspection vlan 100,200/* defines which VLANs are used for ARP packet Detection
  5. Ip arp inspection log-buffer entries 1024
  6. Ip address arp inspection log-buffer logs 1024 interval 10

IOS interface command:

 
 
  1. Ip dhcp snooping trust
  2. Ip arp inspection trust/* defines which interfaces are trusted interfaces, such as network device interfaces and TRUNK interfaces.
  3. Ip arp inspection limit rate 15 (pps)/* defines the number of ARP packets per second on the Interface

If no DHCP device is used, use the following method:

 
 
  1. arp access-list static-arp   
  2. permit ip host 10.66.227.5 mac host 0009.6b88.d387   
  3. ip arp inspection filter static-arp vlan 201  

Effect after DAI Configuration:

On interfaces configured with the DAI technology, users cannot access the network using unspecified addresses.

Because DAI checks the relationship between IP addresses and MAC addresses in the DHCP snooping binding table, man-in-the-middle attacks cannot be implemented and the attack tool becomes invalid. The following table lists the switch warnings for man-in-the-middle attacks:

 
 
  1. 3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/16, vlan 1.([000b.db1d.6ccd/192.168.1.200/0000.0000.0000/192.168.1.2 

Due to the speed limit imposed on arp request packets, the client cannot scan or detect IP addresses that are considered or viruses. If such behavior occurs, the switch immediately sends an alarm or directly disconnects the scanning machine. See the following table:

 
 
  1. 3w0d: % SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on Fa5/30. ***** alert
  2. 3w0d: % PM-4-ERR_DISABLE: arp-inspection error detected on Fa5/30, putting Fa5/30 in err-disable state ***** disconnect the port
  3. I49-4500-1 #... sh int f.5/30
  4. FastEthernet5/30 is down, line protocol is down (err-disabled)
  5. Hardware is Fast Ethernet Port, address is 0002. b90e. 3f 4d (bia 0002. b90e. 3f 4d)
  6. MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
  7. Reliability 255/255, txload 1/255, rxload 1/255
  8. I49-4500-1 #......

After a user obtains an IP address, the user cannot modify the IP address or MAC address. If the user simultaneously modifies the IP address and MAC address, the user must be a valid IP address and MAC address in the network.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.