In previous articles, we have explained the technology and configuration of DHCP Snooping. Here we will mainly explain how to use DAI to configure DHCP Snooping. First, let's take a look at this dynamic relationship and see how the two are associated.
Use DAIdynamic arp inspection)
Cisco Dynamic ARP Inspection (DAI) provides IP address and MAC Address binding on the switch, and dynamically establishes the binding relationship. DAI is based on the DHCP Snooping binding table. For servers that do not use DHCP, you can use static ARP access-list. The DAI configuration is for VLANs. You can enable or disable DAI for interfaces in the same VLAN. You can use DAI to control the number of arp request packets on a port. These technologies can be used to prevent man-in-the-middle attacks.
Configuration example
IOS global command:
- Ip dhcp snooping vlan 100,200
- No ip dhcp snooping information option
- Ip dhcp snooping
- Ip arp inspection vlan 100,200/* defines which VLANs are used for ARP packet Detection
- Ip arp inspection log-buffer entries 1024
- Ip address arp inspection log-buffer logs 1024 interval 10
IOS interface command:
- Ip dhcp snooping trust
- Ip arp inspection trust/* defines which interfaces are trusted interfaces, such as network device interfaces and TRUNK interfaces.
- Ip arp inspection limit rate 15 (pps)/* defines the number of ARP packets per second on the Interface
If no DHCP device is used, use the following method:
- arp access-list static-arp
- permit ip host 10.66.227.5 mac host 0009.6b88.d387
- ip arp inspection filter static-arp vlan 201
Effect after DAI Configuration:
On interfaces configured with the DAI technology, users cannot access the network using unspecified addresses.
Because DAI checks the relationship between IP addresses and MAC addresses in the DHCP snooping binding table, man-in-the-middle attacks cannot be implemented and the attack tool becomes invalid. The following table lists the switch warnings for man-in-the-middle attacks:
- 3w0d: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa5/16, vlan 1.([000b.db1d.6ccd/192.168.1.200/0000.0000.0000/192.168.1.2
Due to the speed limit imposed on arp request packets, the client cannot scan or detect IP addresses that are considered or viruses. If such behavior occurs, the switch immediately sends an alarm or directly disconnects the scanning machine. See the following table:
- 3w0d: % SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 184 milliseconds on Fa5/30. ***** alert
- 3w0d: % PM-4-ERR_DISABLE: arp-inspection error detected on Fa5/30, putting Fa5/30 in err-disable state ***** disconnect the port
- I49-4500-1 #... sh int f.5/30
- FastEthernet5/30 is down, line protocol is down (err-disabled)
- Hardware is Fast Ethernet Port, address is 0002. b90e. 3f 4d (bia 0002. b90e. 3f 4d)
- MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
- Reliability 255/255, txload 1/255, rxload 1/255
- I49-4500-1 #......
After a user obtains an IP address, the user cannot modify the IP address or MAC address. If the user simultaneously modifies the IP address and MAC address, the user must be a valid IP address and MAC address in the network.