Monday, January 26, 2009

Dynamic ARP Inspection with NON-DHCP hosts

The Dynamic ARP Inspection concept is well understood, but sometimes the commands and requirements can be hard to remember. This scenario shows how DAI works with DHCP snooping to block ARP requests from untrusted ports and how NON-DHCP clients can still be apart of the network.

R1,R3 and R5 are all on VLAN100, connected to switch SW1:

R1 = Static host
R3 = DHCP Server
R5 = DHCP client

SW1 has ARP Inspection and DHCP snooping enabled already, with trust enabled on the port connected to R3.

SW1#sho run | inc snoop|arp
ip dhcp snooping vlan 100
ip dhcp snooping
ip arp inspection vlan 100
 ip dhcp snooping trust

R5 gets an IP address from R3 and now we have the following entry on SW1:

SW1#sho ip dhcp snooping binding 
MacAddress         IpAddress   Lease(sec) Type           VLAN  Interface
------------------ ----------- ---------- -------------  ----  ---------------
00:00:00:00:00:05  192.168.0.5 86381      dhcp-snooping  100   FastEthernet0/5
Total number of bindings: 1

R5 tries to ping R1 but can't:

R5#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:

*Jan  7 09:36:20.361: IP: tableid=0, s=192.168.0.5 (local), d=192.168.0.1
            (Ethernet0/0), routed via RIB
*Jan  7 09:36:20.361: IP: s=192.168.0.5 (local), d=192.168.0.1 (Ethernet0/0),
             len 100, sending
*Jan  7 09:36:20.361:     ICMP type=8, code=0
*Jan  7 09:36:20.361: IP ARP: creating incomplete entry for IP address:
             192.168.0.1 interface Ethernet0/0
*Jan  7 09:36:20.361: IP ARP: sent req src 192.168.0.5 0000.0000.0005,
                 dst 192.168.0.1 0000.0000.0000 Ethernet0/0

On SW1 we see this:

SW1#debug arp 
07:43:49: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 100.
([0000.0000.0001/192.168.0.1/0000.0000.0005/192.168.0.5/07:43:49 UTC Mon Mar 1 1993])

SW1 is not allowing the ARP reply from R1 because the port is untrusted in the arp inspection configuration and R1's address is not in the DHCP snooping database. We can see the request make it on R1:

R1#
*Mar  2 00:31:09.685: IP ARP: rcvd req src 192.168.0.5 0000.0000.0005,
             dst 192.168.0.1 Ethernet0/0
*Mar  2 00:31:09.685: IP ARP: sent rep src 192.168.0.1 0000.0000.0001,
                 dst 192.168.0.5 0000.0000.0005 Ethernet0/0

But R5 never gets the reply. For NON-DHCP hosts we can create an ARP ACL and apply it to the DAI configuration:

SW1(config)#arp access-list ARP-TEST  
SW1(config-arp-nacl)#permit ip host 192.168.0.1 ?
  mac  Sender MAC address
SW1(config-arp-nacl)#permit ip host 192.168.0.1 mac ?
  H.H.H  Sender MAC address
  any    Any MAC address
  host   Single Sender host
SW1(config-arp-nacl)#permit ip host 192.168.0.1 mac host 0000.0000.0001
SW1(config-arp-nacl)#exit
SW1(config)#ip arp inspection filter ARP-TEST vlan 100

Now let's ping:

R5#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 8/9/12 ms
R5#

There is another option for the DAI filter and that is "static".

SW1(config)#ip arp inspection filter ARP-TEST vlan 100  ?
  static  Apply the ACL statically

If we applied this argument to the command, DAI would only check the ARP ACL and not fallback to the DHCP snooping database. That would prevent R5 ARPs from being allowed:

SW1(config)#ip arp inspection filter ARP-TEST vlan 100  static 

R5#ping 192.168.0.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R5#

Check debugs on SW1:

SW1#
07:52:53: %SW_DAI-4-ACL_DENY: 1 Invalid ARPs (Req) on Fa0/5, vlan 100.
([0000.0000.0005/192.168.0.5/0000.0000.0000/192.168.0.1/07:52:53 UTC Mon Mar 1 1993])

Requests are being denied inbound on f0/5 now.
posted by deadhead blues at 8:11 PM
Labels: ,

6 comments:

  1. AnonymousApril 28, 2009 at 3:51 PM

    How would you enable DAI in a bridged lan environment if 2 of your switches hold different dhcp bindings?

    ReplyDelete
  2. deadhead bluesMay 20, 2009 at 7:12 PM

    You can trust the trunk link. This allows the first switch to perform DAI, while the other is only doing DAI for its locally connected hosts.

    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_20_se/configuration/guide/swdynarp.html

    ReplyDelete
  3. AnonymousJuly 28, 2009 at 11:09 PM

    Thanks for the post this is very helpful. I do have a question though. In a bridged lan environment with 5 switches connected to the core switch where would you place the ARP ACL and filter? There would be multiple NON-DHCP addresses on each switch. My first reaction would be to place the ARP ACL and filter on the Core switch. Is this correct?

    ReplyDelete
  4. What's there in Name...huh!July 5, 2012 at 7:03 AM

    Well, for the ip arp inspection filter static, I am not understading in which scenario we will use this? We open ACL to allow non-DHCP client to reach R1 here but this static command will prevent that; then whats the purpose?

    ReplyDelete
  5. AnonymousSeptember 20, 2012 at 11:29 PM

    If the victim machine is not connected to the network , and I plug my Laptop on Victim's switch port with spoofed Victim MAC and IP address, Would DAI still work?

    ReplyDelete
  6. AnonymousMarch 15, 2013 at 8:38 AM

    @Anonymous

    If you have that level of access into the victim environment, switch-level security controls aren't gonna help much.

    ReplyDelete

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)