Dynamic ARP Inspection (DAI)
Overview
Section titled “Overview”Dynamic ARP Inspection (DAI) prevents ARP poisoning attacks by inspecting ARP requests and responses on untrusted ports. It validates ARP messages against the DHCP snooping binding table to ensure legitimate IP-to-MAC mappings.
For more info on DHCP Snooping, visit [[DHCP Snooping & Option 82]].
Key Functions
- Filters ARP messages received on untrusted ports
- Validates sender MAC and IP fields against DHCP snooping binding table
- Drops ARP messages without matching binding table entries
All ports are untrusted by default. Interfaces connected to switches or routers should be trusted, while end host ports should remain untrusted.
Basic Configuration
Section titled “Basic Configuration”ip arp inspection vlan 1
interface Ethernet1/1 description To-Another-Switch ip arp inspection trustNote: DHCP snooping must be enabled for DAI to function, as it relies on the DHCP snooping binding table for validation.
How DAI Works
Section titled “How DAI Works”DAI inspects ARP messages on untrusted ports by checking the DHCP snooping binding table, which contains:
- IP address
- MAC address
- Interface
- VLAN
- Lease time
Validation Process:
- Match found: ARP message forwarded normally
- No match found: ARP message dropped
- Trusted ports: No inspection performed
ARP Access Lists
Section titled “ARP Access Lists”Use ARP ACLs when DHCP snooping is not available or when hosts use static IP assignments.
arp access-list ARP-ACL-1 permit ip host 192.168.1.100 mac host 0001.0002.0003 permit ip host 192.168.1.101 mac host 0001.0002.0004
ip arp inspection filter ARP-ACL-1 vlan 1ARP ACLs provide an alternative validation method for environments without DHCP.
Rate Limiting
Section titled “Rate Limiting”Default behavior: DAI rate limiting is enabled by default on untrusted ports with a limit of 15 packets per second. This differs from DHCP snooping, where rate limiting is disabled by default.
Configuring Rate Limits
Section titled “Configuring Rate Limits”interface Ethernet1/2 ip arp inspection limit rate 25
errdisable recovery cause arp-inspectionerrdisable recovery interval 300Burst Interval Configuration
Section titled “Burst Interval Configuration”interface Ethernet1/2 ip arp inspection limit rate 25 burst interval 2This allows 25 ARP messages per 2 seconds before placing the interface into error-disabled state.
Additional Validation Checks
Section titled “Additional Validation Checks”Enable additional validation checks on untrusted ports for enhanced security:
ip arp inspection validate dst-mac src-mac ipValidation Options:
- src-mac: Checks ARP body source MAC against Ethernet header source MAC
- dst-mac: Checks ARP body destination MAC against Ethernet header destination MAC
- ip: Validates IP addresses (no 0.0.0.0, 255.255.255.255, or multicast addresses)
Important: All specified validations must pass for ARP messages to be forwarded. None are enabled by default.
Individual Validation Commands
Section titled “Individual Validation Commands”ip arp inspection validate src-macip arp inspection validate dst-macip arp inspection validate ipNote that when configured like this, the newer command will override the last two or previous.
Logging
Section titled “Logging”ip arp inspection vlan 1 logging acl-match matchlogip arp inspection vlan 1 logging dhcp-bindings allVerification
Section titled “Verification”show ip arp inspectionshow ip arp inspection interfacesshow ip arp inspection vlan 1show ip arp inspection statistics