DAI

Dynamic Arp Inspection/DHCP Snooping

Joseph JenkinsLeave a comment

In trying to remove Man in the Middle attacks for my network I started looking at Dynamic Arp Inspection(DAI) and DHCP Snooping.  I brought them home to my lab and started to play.  Here is what I read up on to figure out what to do and how to implement:

Research:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_58_se/configuration/guide/swdynarp.html#wp1039773
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html
http://packetlife.net/blog/2010/aug/18/dhcp-snooping-and-dynamic-arp-inspection/

How to configure:

First turn on DHCP SNOOPING on the switch or switches:

“ip dhcp snooping”
“ip dhcp snooping vlan (vlan to monitor)”

Let it run for a while and populate the dhcp snooping binding database.  This database is extremely important as only the bindings in here will be allowed to arp on the network.

To view the database you can use the following:

“show ip dhcp snooping binding”

Uplink ports and ports that will have dhcp servers will need to have the following put onto the interfaces or you won’t be able to get addresses:

“ip dhcp snooping trust”

Before you turn on Dynamic Arp Inspection you need to track down any dumb switches(switches that don’t support DAI) or hosts with a static IP address.

I recommend removing any dumb switches from the network as they just create security holes and will cause you nothing but problems.

Here is one solution, but I think it is better to get rid of them and easier to deal with:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/dynarp.html#wp1077449

As for the static hosts you can do “ip arp inspection trust”, however I think a better method is to create a static ip address to arp address binding with the following:

“ip source binding (mac add) vlan (vlan to monitor) (ip address) interface (interface of host)”

This way someone can’t just remove the static host and take over their ip address.  Another option would be to change all hosts at the Distribution/Access layer to DHCP and put static bindings into the DHCP server for them to ensure their ip addresses don’t change.

To turn on Dynamic Arp Inspection

Identify your uplink ports and use the following command on them:

“ip arp inspection trust”

 When ready to turn on DAI then run:

“ip arp inspection vlan (vlan to monitor)”

By default all ports are untrusted and should have 1 host to 1 network port.

If you have more than one host to a port with a dumb switch you need to use “ip arp inspection trust”, or else the switch will drop all of the hosts on that port.