Introduction : DAI works on the ARP Packets in a network. This prevents ARP Spoofing attacks in a network.
Feature Notes : ARP:
1. It is a Layer-2 protocol which helps in L-2 to L-3 mapping on a physical network. On ethernet, it helps to map MAC address to IP address.
2. All devices keep an ARP cache which is timed out after some time.
3. A device can also send a Gratuitous ARP. This is a special ARP frame which is not sent in response to a ARP query. This allows all devices on that broadcast domain to update their ARP caches preemptively with the device's MAC-IP mapping.
ARP Spoofing Attack:
It is a type of Man in the Middle attack. This happens when a device sends Gratuitous ARP for another's device's IP with it's own MAC address. After this, all the data from the sender reaches the rogue device as it Destination MAC address is the device address. Rogue device can snoop the data and then send it the recipient.
Dynamic ARP Inspection:
After enabling DAI, the end device can receive all the ARP messages but can only reply with ARP messages with IP-MAC mapping as per the DHCP snooping table.
Configuration Steps : First configure and verify the DHCP snooping:
1. Create a dhcp-snooping profile:
(ArubaS2500-24P) #configure t
(ArubaS2500-24P) (config) #vlan-profile dhcp-snooping-profile new
(ArubaS2500-24P) (dhcp-snooping-profile "new") #enable
(ArubaS2500-24P) (dhcp-snooping-profile "new") #exit
(ArubaS2500-24P) (config) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter Value
--------- -----
DHCP Snooping Enabled
2. Enable it on a vlan:
(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #dhcp-snooping-profile new
(ArubaS2500-24P) (VLAN "1") #exit
3. Verify that the DHCP snooping table is getting populated correctly:
(ArubaS2500-24P) (config) #show dhcp-snooping-database
----------------
MAC IP BINDING-STATE LEASE-TIME VLAN-ID INTERFACE
--- -- ------------- ---------- ------- ---------
f0:1f:af:52:44:09 10.1.1.251 Dynamic entry 2013-12-28 19:33:01 (PST) 1 gigabitethernet0/0/20
4. Enable DAI in port security profile:
(ArubaS2500-24P) (config) #interface-profile port-security-profile try
(ArubaS2500-24P) (Port security profile "try") #dynamic-arp-inspection
(ArubaS2500-24P) (Port security profile "try") #exit
5. Map the port-security profile to the interface:
(ArubaS2500-24P) (config) #interface gigabitethernet 0/0/20
(ArubaS2500-24P) (gigabitethernet "0/0/20") #port-security-profile try
Answer :
After enabling the ARP spoofing on the interface, only the ARP for the correct IP will be allowed to enter the switch from the port.
Switch learns the correct IP-MAC mapping through the DHCP snooping table that it builds up.
Verification :
1. Verify that DAI is enabled in the port security profile:
(ArubaS2500-24P) #show interface-profile port-security-profile try
Port security profile "try"
---------------------------
Parameter Value
--------- -----
IPV6 RA Guard Action N/A
IPV6 RA Guard Auto Recovery Time N/A
MAC Limit N/A
MAC Limit Action N/A
MAC Limit Auto Recovery Time N/A
Trust DHCP No
Port Loop Protect N/A
Port Loop Protect Auto Recovery Time N/A
Sticky MAC N/A
IP Source Guard Enabled
Dynamic Arp Inspection Enabled
2. Verify that DHCP snooping is enabled on the vlan:
(ArubaS2500-24P) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter Value
--------- -----
DHCP Snooping Enabled
3. See that DHCP snooping table is getting populated correctly:
(ArubaS2500-24P) #show dhcp-snooping-database
DHCP Snoop Table
----------------
MAC IP BINDING-STATE LEASE-TIME VLAN-ID INTERFACE
--- -- ------------- ---------- ------- ---------
f0:1f:af:52:44:09 10.1.1.251 Dynamic entry 2013-12-28 22:58:13 (PST) 1 gigabitethernet0/0/20
Troubleshooting :
1. Verify that the port security profile is mapped to the interface.
2. Confirm that DHCP snooping is configured properly and it is getting populate with correct entries.
3. See that Client machine is using DHCP.
Note: This feature must only be enabled on the access ports which connect to user stations. This must not be configured on Uplink ports or the ports which connect to servers.