Recall that ARP = Address Resolution Protocol.
It translates IP addresses to MAC addresses.
ARP Request/
ARP Reply
Gratuitous ARP - An ARP reply sent without receiving an ARP request.
Sent to the broadcast MAC address.
Allows other devices to learn the MAC address of the sending device without them having to send ARP requests.
Some devices automatically sent GARP messages when interface is enabled, IP address changes, or the MAC address changes.
DAI (Dynamic ARP Inspection) is a security feature of switches that is used to filter ARP messages received on *untrusted* ports.
Only filters ARP messages. Non-ARP messages are not affected.
By default, all ports are *untrusted*.
Recommendation: All ports connected to other network devices (switches, routers) should be configured as *trusted*. Interfaces connected to end hosts should be *untrusted*.
DAI inspects the sender MAC and sender IP fields of ARP messages received on untrusted ports and checks that there is a matching entry in the DHCP snooping binding table.
SW1#show ip dhcp snooping binding
^ Displays a 1:1 mapping of MAC addresses to IP addresses and which VLAN and Interface the belong to.
If there is a matching entry, the switch forwards the message normally.
If no matching entry, the ARP message is discarded.
ARP ACLs can be manually configured to map IP address/MAC addresses for DAI to check. This is needed for hosts that don't use DHCP.
DAI can be configured to perform more in-depth checks. It also supports rate-limiting.
SW2(config)#ip arp inspection vlan 1
^ Enables DAI on VLAN 1.
No global config.
You'll need to enable it on each VLAN used.
SW2(config#)ip arp inspection vlan 1
SW2(config#)int range g0/0 - 1
SW2(config-if-range)#ip arp inspection trust
^ Set of commands turns on DAI for VLAN 1 and then sets the range of interfaces specified as trusted.
SW1#show ip arp inspection interfaces
^ Displays all interfaces and whether they are trusted or untrusted. Also shows allowed rate (packets per second) and allowed burst interval (X packets per Y seconds).
If ARP messages are received faster than permitted, default is to shut down the interface with err-disabled.
To re-enable:
- shut/no shut
- errdisable recovery cause arp-inspection
Optional checks:
SW1#(config)#ip arp inspection validate <type>
Where <type> can be:
dst-mac = Validate destination MAC address
ip = Validate IP address
src-mac = Validate source MAC address
If you want all three, you must specify all three on the same command line:
SW1#(config)#ip arp inspection validate dst-mac ip src-mac
^ Configures all three deeper inspection types.
You'll need to add non-DHCP clients to the dhcp snooping binding table:
SW2(config)#arp access-list ARP-ACL-1
^ Create an ACL
SW2(config-arp-nacl)#permit ip host 192.168.1.100 mac host 0c29.2f1e.7700
^ Define an entry in the ACL
SW2(config)#ip arp inspection filter ARP-ACL-1 vlan 1
^ Applices the ACL to VLAN 1
You'll need to do this on each VLAN as appropriate.
SW2#show ip arp inspection
^ Displays info and statistics about DAI state, configuration, and counters.
[These are my notes from Jeremy's excellent CCNA course which can be viewed here.]
