Dynamic ARP Inspection: Protecting Your Network from ARP Spoofing

PitsPits
10 min read

In any network, one common security issue is ARP spoofing, where attackers send fake ARP messages to trick devices into sending data to the wrong place. This can lead to stolen information or traffic being intercepted. Dynamic ARP Inspection, or DAI, is a feature on switches that helps prevent this by checking ARP packets and making sure they come from legitimate devices.

ARP Review

Before diving into Dynamic ARP Inspection, it’s helpful to understand ARP itself. ARP stands for Address Resolution Protocol. It’s a network protocol used to map an IP address to a device’s MAC address. In simpler terms, it helps devices on a local network know where to send data.

For example, if your computer wants to send a message to another device on the same network, it needs to know the MAC address of that device. It sends an ARP request asking, “Who has this IP address?” The device with that IP replies with its MAC address, and communication happens.

Because ARP doesn’t have built-in security, attackers can exploit it by sending fake ARP replies, tricking devices into sending data to the wrong place. This is where Dynamic ARP Inspection comes in to protect the network.

ARP Messages and Gratuitous ARP

ARP communication mainly involves two types of messages: ARP requests and ARP replies.

  • ARP Request: This is when a device asks the network, “Who has this IP address?” The device doesn’t know the MAC address yet and is trying to find it.

  • ARP Reply: This is the response from the device that owns the IP address, providing its MAC address so communication can happen.

There’s also something called gratuitous ARP. This happens when a device announces its own IP and MAC address without being asked. It’s often used when a device joins the network or changes its IP, helping other devices update their ARP tables. While useful, gratuitous ARP can be exploited by attackers to send fake announcements, making ARP spoofing possible.

Dynamic ARP Inspection monitors all these ARP messages to make sure they are legitimate, protecting the network from spoofing attacks.

Dynamic ARP Inspection (DAI)

Now that we understand ARP and how it can be exploited, let’s look at Dynamic ARP Inspection. DAI is a security feature on switches that protects the network from ARP spoofing. It works by inspecting ARP packets sent by devices and verifying that the IP-to-MAC address matches a trusted list.

If the ARP packet is valid, it’s allowed to pass. If it doesn’t match the trusted information, the switch blocks it. This prevents attackers from sending fake ARP messages that could intercept or redirect network traffic.

DAI uses information from DHCP snooping to build the trusted list of IP and MAC addresses. Ports on the switch are classified as trusted or untrusted, so the switch knows which devices to check and which to allow without inspection.

ARP Poisoning

ARP poisoning, also called ARP spoofing, is a common network attack that Dynamic ARP Inspection helps prevent. In ARP poisoning, an attacker sends fake ARP messages to devices on the network. These messages link the attacker’s MAC address to the IP address of another device, like a router or server.

As a result, traffic intended for the legitimate device is sent to the attacker instead. This allows them to intercept, modify, or even block data. ARP poisoning can lead to man-in-the-middle attacks, data theft, and network disruption.

Dynamic ARP Inspection prevents this by verifying ARP messages against a trusted database of IP-to-MAC address bindings. Any packet that doesn’t match is blocked, keeping the network safe from ARP-based attacks.

How DAI Works: Trusted vs Untrusted Ports

Dynamic ARP Inspection relies on the concept of trusted and untrusted ports on a switch:

  • Trusted Ports: These are usually uplinks to other switches or network devices. ARP packets coming from these ports are allowed without inspection.

  • Untrusted Ports: These are typically access ports where end devices connect. ARP packets from these ports are checked against the trusted IP-to-MAC bindings. If a packet doesn’t match, it is blocked.

This setup allows the network to stay protected without blocking legitimate traffic. DAI uses the IP-to-MAC information from DHCP snooping, ensuring that only devices with valid addresses can communicate.

Additionally, DAI can include rate limiting to protect against ARP floods, where an attacker sends many fake ARP packets to overwhelm the switch.

Dynamic ARP Inspection Operations

Dynamic ARP Inspection works through a few key operations that ensure ARP packets are legitimate:

  1. Packet Inspection: The switch examines each ARP packet sent from untrusted ports. It checks the IP and MAC address in the packet against a trusted database.

  2. Validation: If the IP-to-MAC address matches a trusted binding from DHCP snooping, the packet is allowed. If it doesn’t match, the packet is dropped, preventing potential attacks.

  3. Logging and Alerts: DAI can log invalid or suspicious ARP packets. This helps network administrators detect and respond to potential ARP attacks.

  4. Rate Limiting: DAI can set a limit on the number of ARP packets an untrusted port can send per second. This protects the network from ARP floods, which can overwhelm the switch and disrupt normal operations.

These operations work together to make sure ARP traffic on the network is valid, protecting devices from spoofing and man-in-the-middle attacks.

Configuring Dynamic ARP Inspection

To use Dynamic ARP Inspection on a Cisco switch, you need to follow these steps:

  1. Enable DHCP Snooping: DAI relies on DHCP snooping to know which IP addresses are valid.

  2. Enable DAI on VLANs: Specify which VLANs should have ARP inspection enabled.

  3. Set Trusted Ports: Mark uplink or switch-to-switch ports as trusted so legitimate traffic isn’t blocked.

  4. Optionally Configure Rate Limits: Limit ARP packets from untrusted ports to prevent floods.

Sample Configuration

Here’s a simple example for VLAN 10:

Switch(config)# ip dhcp snooping
Switch(config)# ip dhcp snooping vlan 10
Switch(config)# ip arp inspection vlan 10
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip arp inspection trust

Explanation:

  • ip dhcp snooping enables DHCP snooping globally.

  • ip dhcp snooping vlan 10 activates DHCP snooping on VLAN 10.

  • ip arp inspection vlan 10 turns on DAI for VLAN 10.

  • ip arp inspection trust marks port Gi0/1 as trusted, typically used for uplinks.

All other ports in VLAN 10 are considered untrusted by default, so ARP packets from those ports are inspected.

Monitoring Dynamic ARP Inspection

After configuring DAI, it’s important to monitor it to ensure it’s working correctly. Cisco switches provide several show commands for this.

1. Show DAI Status

Switch# show ip arp inspection

Sample Output:

VLAN   ACL    Trusted    Rate limit (pps)
10     N/A    Yes        15

Explanation:

  • VLAN: The VLAN where DAI is active.

  • Trusted: Shows whether the port or VLAN is trusted.

  • Rate limit: The maximum number of ARP packets per second allowed from untrusted ports.

2. Show DAI Bindings

Switch# show ip arp inspection binding

Sample Output:

IP Address      MAC Address       VLAN   Interface
192.168.1.10    00:1A:2B:3C:4D:5E 10   GigabitEthernet0/2
192.168.1.11    00:1A:2B:3C:4D:5F 10   GigabitEthernet0/3

Explanation:

  • IP Address / MAC Address: Shows the valid IP-to-MAC pairs that DAI uses for verification.

  • VLAN / Interface: Shows which VLAN and port the device is connected to.

This lets you verify that only legitimate devices are allowed to communicate.

3. Show DAI Statistics

Switch# show ip arp inspection statistics

Sample Output:

Total Packets: 2000
Dropped Packets: 5

Explanation:

  • Total Packets: Number of ARP packets inspected.

  • Dropped Packets: Number of invalid or spoofed packets blocked by DAI.

Monitoring these stats helps you detect potential ARP attacks or misconfigurations on the network.

Show IP ARP Inspection Interfaces

To check which interfaces have DAI enabled and their settings, you can use:

Switch# show ip arp inspection interfaces

Sample Output:

Interface              VLAN   Trusted   Rate limit (pps)
Gi0/1                  10     Yes       0
Gi0/2                  10     No        15
Gi0/3                  10     No        15

Explanation:

  • Interface: The switch port being monitored.

  • VLAN: The VLAN the port belongs to.

  • Trusted: Indicates if the port is trusted (Yes) or untrusted (No). Trusted ports are typically uplinks or connections to other switches.

  • Rate limit (pps): Shows the maximum number of ARP packets per second allowed on untrusted ports. A value of 0 means no limit, usually for trusted ports.

This command helps you quickly see which ports are enforcing ARP inspection and what limits are applied, making it easier to manage security on your network.

DAI Rate Limiting and Gratuitous ARP Options

Rate Limiting

DAI allows you to limit the number of ARP packets an untrusted port can send per second. This prevents ARP floods, where an attacker sends many fake ARP packets to overwhelm the switch.

For example:

Switch(config)# interface Gi0/2
Switch(config-if)# ip arp inspection limit rate 10

This sets a limit of 10 ARP packets per second on the untrusted port Gi0/2. If the port exceeds this rate, excess packets are dropped.

Gratuitous ARP Handling

Gratuitous ARP is when a device announces its IP-to-MAC mapping without being asked. While normal for network updates, attackers can use it for spoofing.

By default, DAI inspects gratuitous ARP packets like any other ARP message. You can configure DAI to allow or drop gratuitous ARPs depending on your network needs:

Switch(config)# ip arp inspection validate src-mac dst-mac

This ensures that even gratuitous ARPs are checked against the trusted bindings, protecting against spoofed announcements.

DAI Optional Checks and ARP ACLs

Dynamic ARP Inspection includes optional checks that add extra security to your network. These checks can inspect ARP packets for additional details beyond just IP-to-MAC validation.

Optional Checks

  1. Source MAC Validation: Ensures the MAC address in the ARP packet matches the trusted binding.

  2. Destination MAC Validation: Verifies that the destination MAC is correct for the given IP.

  3. IP Validation: Checks that the IP address in the ARP packet is valid in the network.

These checks help prevent advanced ARP attacks that might try to bypass basic inspection.

ARP Access Control Lists (ACLs)

You can also use ARP ACLs to define rules for allowed or blocked ARP traffic. ARP ACLs specify which IP and MAC addresses are permitted on certain ports. This gives administrators finer control over ARP security.

For example:

Switch(config)# arp access-list DAI_ACL
Switch(config-arp-acl)# permit ip 192.168.1.0 0.0.0.255 mac 00:1A:2B:3C:4D:5E
Switch(config)# interface Gi0/2
Switch(config-if)# ip arp inspection filter DAI_ACL vlan 10

Explanation:

  • This ACL allows only devices with IP addresses in the 192.168.1.0/24 range and the specified MAC address to send ARP packets on VLAN 10 through Gi0/2.

  • Any ARP packet not matching the ACL is dropped, adding another layer of protection.

DAI Command Review

Here’s a quick reference for the main commands used in Dynamic ARP Inspection:

  • Enable DHCP Snooping (required for DAI):
ip dhcp snooping
ip dhcp snooping vlan [vlan-id]
  • Enable DAI on a VLAN:
ip arp inspection vlan [vlan-id]
  • Set a port as trusted:
interface [interface-id]
ip arp inspection trust
  • Configure ARP rate limit on untrusted port:
interface [interface-id]
ip arp inspection limit rate [pps]
  • Optional: Validate source/destination MACs and IPs:
ip arp inspection validate src-mac dst-mac
  • Check DAI status and bindings:
show ip arp inspection
show ip arp inspection interfaces
show ip arp inspection binding
show ip arp inspection statistics
  • Configure ARP ACL for DAI:
arp access-list [acl-name]
permit ip [ip-address] mac [mac-address]
interface [interface-id]
ip arp inspection filter [acl-name] vlan [vlan-id]

Wrap Up

Dynamic ARP Inspection is a powerful tool to protect your network from ARP spoofing and man-in-the-middle attacks. By inspecting ARP packets, validating IP-to-MAC bindings, and using trusted/untrusted ports, DAI ensures only legitimate devices communicate on your network.

With proper configuration, optional checks, and ARP ACLs, you can secure your network against common ARP-based attacks. Monitoring commands help you verify that everything is working and identify any suspicious activity.

Implementing DAI is a practical step toward stronger network security, especially in environments where multiple devices connect and communicate regularly.

0
Subscribe to my newsletter

Read articles from Pits directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Dynamic ARP Inspectionnetworkingnetworking for beginners

Written by

Pits
Pits