Wired Intelligent Edge (Campus Switching and Routing)

 View Only
last person joined: one year ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of HPE Aruba Networking switching devices, and find ways to improve security across your network.
Back to Library

What is Dynamic ARP Inspection and how to configure it? 

Jul 08, 2014 06:36 PM

Introduction : DAI works on the ARP Packets in a network. This prevents ARP Spoofing attacks in a network.

 

Feature Notes : ARP:

1. It is a Layer-2 protocol which helps in L-2 to L-3 mapping on a physical network. On ethernet, it helps to map MAC address to IP address.

2. All devices keep an ARP cache which is timed out after some time.

3. A device can also send a Gratuitous ARP. This is a special ARP frame which is not sent in response to a ARP query. This allows all devices on that broadcast domain to update their ARP caches preemptively with the device's MAC-IP mapping.


ARP Spoofing Attack:

It is a type of Man in the Middle attack. This happens when a device sends Gratuitous ARP for another's device's IP with it's own MAC address. After this, all the data from the sender reaches the rogue device as it Destination MAC address is the device address. Rogue device can snoop the data and then send it the recipient.


Dynamic ARP Inspection:

After enabling DAI, the end device can receive all the ARP messages but can only reply with ARP messages with IP-MAC mapping as per the DHCP snooping table.

 

Configuration Steps : First configure and verify the DHCP snooping:

   
1. Create a dhcp-snooping profile:

(ArubaS2500-24P) #configure t
(ArubaS2500-24P) (config) #vlan-profile dhcp-snooping-profile new
(ArubaS2500-24P) (dhcp-snooping-profile "new") #enable
(ArubaS2500-24P) (dhcp-snooping-profile "new") #exit

(ArubaS2500-24P) (config) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter      Value
---------      -----
DHCP Snooping  Enabled

2. Enable it on a vlan:

(ArubaS2500-24P) (config) #vlan 1
(ArubaS2500-24P) (VLAN "1") #dhcp-snooping-profile new
(ArubaS2500-24P) (VLAN "1") #exit

3. Verify that the DHCP snooping table is getting populated correctly:


(ArubaS2500-24P) (config) #show dhcp-snooping-database
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 19:33:01 (PST)  1        gigabitethernet0/0/20


4. Enable DAI in port security profile:

(ArubaS2500-24P) (config) #interface-profile port-security-profile try
(ArubaS2500-24P) (Port security profile "try") #dynamic-arp-inspection
(ArubaS2500-24P) (Port security profile "try") #exit

5. Map the port-security profile to the interface:

(ArubaS2500-24P) (config) #interface gigabitethernet 0/0/20
(ArubaS2500-24P) (gigabitethernet "0/0/20") #port-security-profile try

 

Answer :

 

After enabling the ARP spoofing on the interface, only the ARP for the correct IP will be allowed to enter the switch from the port.

Switch learns the correct IP-MAC mapping through the DHCP snooping table that it builds up.

 

Verification :

 

1. Verify that DAI is enabled in the port security profile:

(ArubaS2500-24P) #show interface-profile port-security-profile try

Port security profile "try"
---------------------------
Parameter                             Value
---------                             -----
IPV6 RA Guard Action                  N/A
IPV6 RA Guard Auto Recovery Time      N/A
MAC Limit                             N/A
MAC Limit Action                      N/A
MAC Limit Auto Recovery Time          N/A
Trust DHCP                            No
Port Loop Protect                     N/A
Port Loop Protect Auto Recovery Time  N/A
Sticky MAC                            N/A
IP Source Guard                       Enabled
Dynamic Arp Inspection                Enabled

2. Verify that DHCP snooping is enabled on the vlan:

(ArubaS2500-24P) #show vlan-profile dhcp-snooping-profile new
dhcp-snooping-profile "new"
---------------------------
Parameter      Value
---------      -----
DHCP Snooping  Enabled

3. See that DHCP snooping table is getting populated correctly:

(ArubaS2500-24P) #show dhcp-snooping-database
DHCP Snoop Table
----------------
MAC                IP          BINDING-STATE  LEASE-TIME                 VLAN-ID  INTERFACE
---                --          -------------  ----------                 -------  ---------
f0:1f:af:52:44:09  10.1.1.251  Dynamic entry  2013-12-28 22:58:13 (PST)  1        gigabitethernet0/0/20

 

 

Troubleshooting :

 

1. Verify that the port security profile is mapped to the interface.
2. Confirm that DHCP snooping is configured properly and it is getting populate with correct entries.
3. See that Client machine is using DHCP.


Note: This feature must only be enabled on the access ports which connect to user stations. This must not be configured on Uplink ports or the ports which connect to servers.

 

 

 

 

Statistics
0 Favorited
17 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.