What is Dynamic ARP Inspection and how to configure it?

Aruba Employee

Introduction : DAI works on the ARP Packets in a network. This prevents ARP Spoofing attacks in a network.

 

Feature Notes : ARP:

1. It is a Layer-2 protocol which helps in L-2 to L-3 mapping on a physical network. On ethernet, it helps to map MAC address to IP address.

2. All devices keep an ARP cache which is timed out after some time.

3. A device can also send a Gratuitous ARP. This is a special ARP frame which is not sent in response to a ARP query. This allows all devices on that broadcast domain to update their ARP caches preemptively with the device's MAC-IP mapping.


ARP Spoofing Attack:

It is a type of Man in the Middle attack. This happens when a device sends Gratuitous ARP for another's device's IP with it's own MAC address. After this, all the data from the sender reaches the rogue device as it Destination MAC address is the device address. Rogue device can snoop the data and then send it the recipient.


Dynamic ARP Inspection:

After enabling DAI, the end device can receive all the ARP messages but can only reply with ARP messages with IP-MAC mapping as per the DHCP snooping table.

 

Configuration Steps : First configure and verify the DHCP snooping:

   
1. Create a dhcp-snooping profile:

(ArubaS2500-24P) #configure t
(ArubaS2500-24P) (config) #vlan-profile dhcp-snooping-profile new
(ArubaS2500-24P) (dhcp-snooping-profile "new") #enable
(ArubaS2500-24P) (dhcp-snooping-profile "new") #exit

(ArubaS2500-24P) (config) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter      Value
---------      -----
DHCP Snooping  Enabled

2. Enable it on a vlan:

(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #dhcp-snooping-profile new
(ArubaS2500-24P) (VLAN "1") #exit

3. Verify that the DHCP snooping table is getting populated correctly:


(ArubaS2500-24P) (config) #show dhcp-snooping-database
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 19:33:01 (PST)  1        gigabitethernet0/0/20


4. Enable DAI in port security profile:

(ArubaS2500-24P) (config) #interface-profile port-security-profile try
(ArubaS2500-24P) (Port security profile "try") #dynamic-arp-inspection
(ArubaS2500-24P) (Port security profile "try") #exit

5. Map the port-security profile to the interface:

(ArubaS2500-24P) (config) #interface gigabitethernet 0/0/20
(ArubaS2500-24P) (gigabitethernet "0/0/20") #port-security-profile try

 

Answer :

 

After enabling the ARP spoofing on the interface, only the ARP for the correct IP will be allowed to enter the switch from the port.

Switch learns the correct IP-MAC mapping through the DHCP snooping table that it builds up.

 

Verification :

 

1. Verify that DAI is enabled in the port security profile:

(ArubaS2500-24P) #show interface-profile port-security-profile try

Port security profile "try"
---------------------------
Parameter                             Value
---------                             -----
IPV6 RA Guard Action                  N/A
IPV6 RA Guard Auto Recovery Time      N/A
MAC Limit                             N/A
MAC Limit Action                      N/A
MAC Limit Auto Recovery Time          N/A
Trust DHCP                            No
Port Loop Protect                     N/A
Port Loop Protect Auto Recovery Time  N/A
Sticky MAC                            N/A
IP Source Guard                       Enabled
Dynamic Arp Inspection                Enabled

2. Verify that DHCP snooping is enabled on the vlan:

(ArubaS2500-24P) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter      Value
---------      -----
DHCP Snooping  Enabled

3. See that DHCP snooping table is getting populated correctly:

(ArubaS2500-24P) #show dhcp-snooping-database
DHCP Snoop Table
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 22:58:13 (PST)  1        gigabitethernet0/0/20

 

 

Troubleshooting :

 

1. Verify that the port security profile is mapped to the interface.
2. Confirm that DHCP snooping is configured properly and it is getting populate with correct entries.
3. See that Client machine is using DHCP.


Note: This feature must only be enabled on the access ports which connect to user stations. This must not be configured on Uplink ports or the ports which connect to servers.

 

 

 

 

Version history
Revision #:
1 of 1
Last update:
‎07-08-2014 03:36 PM
Updated by:
 
Contributors
Comments
Bahaa Ardah

I have one question in regard of ARP spoofing , I have some linux based devices which appeares like rogue devices in Aruba netwrok , and the controller is blooking devices arp reqest since the arp spoofing is enabled . 

 

For testing we stopped the ARP Spoofing and devices get connected . 

 

My question , is there any option to bypass those devices MAC address's while enabling the ARP spoofing in the controller . 

 

 

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.