Working Principle and test of Dynamic ARP Inspection (DAI)

I. Working principle:

A. Determine the illegal access MAC address in the network based on the DHCP Snooping or the manually formed MAC address and IP Address binding table.

B. to prevent malicious ARP spoofing, the arp REQUEST packets of the interface can be limited.

--- Tests show that arp requests and replies (including unreasonable arp) to untrusted ports are discarded, therefore, it is not necessary to set the speed limit on untrusted ports (no manual modification to the DHCP binding table or arp access-list is required)

Reference: http://wenku.baidu.com/view/cda2e815c5da50e2534d7f05.html

Ii. Test topology:

Test switch IOS:

-- Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2 (55) SE3, release software (fc1)

3. configuration steps:

A. vswitch:

① Enable DHCP Snooping globally

Ipdhcp snooping

② Enable DHCP Snooping on VLAN 11

Ipdhcp snooping vlan 11

③ Specify the interface connecting to R2 (DHCP server) as a trusted interface

Interface FastEthernet0/2
Ip dhcp snooping trust

④ Enable DAI on VLAN 11

Ip arp inspection vlan 11

B. DHCP server configuration:

① Set the IP address pool

Ip dhcp pool dhcppool
Network 10.1.1.0 255.255.255.0
Default-router 10.1.1.2

② Trust 82 Option

Interface GigabitEthernet0/0
Ip dhcp relay information trusted

 

Iv. test:

A. Both R1 and PC1 act as DHCP clients.

--- In this case, the DHCP Snooping binding table also contains the mac address and IP Address Table of R1 and PC1. Therefore, when R1 ping PC1, the ARP Reply package of PC1 can be forwarded by the switch normally, the same is true for ping.

B. Manually specify the IP address of the PC as an address other than the IP address assigned by DHCP.

--- For example, 10.1.1.130

--- In this case, the DHCP Snooping binding table does not have the mac address and IP Address Table of PC1, and the following logs are immediately reported:

* Mar 2 00:45:40. 424: % SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/9, vlan 11. ([0050.56bc.9f6a/10.1.1.130/2.16.0000.0000/10.1.1.130/00:45:40 UTC Tue Mar 2

--- At this time, R1 cannot ping PC1. When packets are captured on PC1, we can see the arp request packet sent by R1. The PC also replies an arp reply packet to R1, however, the show arp on R1 does not have the PC1 arp record. It can be seen that DAI is determined based on the DHCP Snooping binding table. If no record is recorded, the arp reply package on the port is discarded.

--- If PC1 can ping the interface address of R1 at this time, the packet capture on the PC will show that the arp request packet sent does not receive a response at all, and the arp request will not be visible on R1 debug, this means that after DAI is enabled, DAI discards the ARPrequest package with no recorded interfaces.

--- Visible: No ARP reply packets and request packets for DHCP Snooping binding tables and interfaces without special settings are discarded by the switch.

C. Solution for the DHCNP Snooping binding table not recorded

--- Both R1 and PC1 can ping each other as DHCP clients, but they cannot ping 10.1.1.2 and the IP address of the DHCP server.

--- The reason is that DAI checks that the DHCP binding table does not have an entry for 10.1.1.2 and discards the ARP Reply packet replied to 10.1.1.2.

--- At this time, R2 can receive Arp Request packets from R1 and PC1, so its arp cache contains the corresponding entries of R1 and PC1.

--- If you manually add ARP records of R2 on R1 and PC1, they can PING R2.

① Specify the device interface connecting to the static IP address as the trusted interface

SW1 (config-if) # ip arp inspection trust
② Set arp access-list and call it during vlan arp audit and filtering

Arp access-list testarp
Permit ip host 10.1.1.2 mac host 0002.0002.0002

Ip arp inspection filter testarp vlan 11 <static>

--- This static is optional. The difference between input and no input is not tested.

--- When you enter the arp access-list name, no check is performed. Even if the name does not exist, no prompt is displayed.

③ Add static entries in the DHCP Snooping table

Ip source binding 0002.0002.0002 vlan 11 10.1.1.2 interface Fa0/2

--- Run the following command to view the dynamic and static binding items of show ip source binding: