Mitigate ARP Attacks
Summary
This topic explain how to configure ARP inspection to mitigate ARP attacks. Start learning CCNA 200-301 for free right now!!
Table of Contents
Dynamic ARP Inspection
In a typical ARP attack, a threat actor can send unsolicited ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed.
Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:
- Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.
- Intercepting all ARP Requests and Replies on untrusted ports.
- Verifying each intercepted packet for a valid IP-to-MAC binding.
- Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.
- Error-disabling the interface if the configured DAI number of ARP packets is exceeded.
DAI Implementation Guidelines
To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:
- Enable DHCP snooping globally.
- Enable DHCP snooping on selected VLANs.
- Enable DAI on selected VLANs.
- Configure trusted interfaces for DHCP snooping and ARP inspection.
It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports that are connected to other switches as trusted.
The sample topology in the figure identifies trusted and untrusted ports.
DAI Configuration Example
In the previous topology, S1 is connecting two users on VLAN 10. DAI will be configured to mitigate against ARP spoofing and ARP poisoning attacks.
As shown in the example, DHCP snooping is enabled because DAI requires the DHCP snooping binding table to operate. Next, DHCP snooping and ARP inspection are enabled for the PCs on VLAN10. The uplink port to the router is trusted, and therefore, is configured as trusted for DHCP snooping and ARP inspection.
S1(config)# ip dhcp snooping S1(config)# ip dhcp snooping vlan 10 S1(config)# ip arp inspection vlan 10 S1(config)# interface fa0/24 S1(config-if)# ip dhcp snooping trust S1(config-if)# ip arp inspection trust
DAI can also be configured to check for both destination or source MAC and IP addresses:
- Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body.
- Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
- IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
The ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command is used to configure DAI to drop ARP packets when the IP addresses are invalid. It can be used when the MAC addresses in the body of the ARP packets do not match the addresses that are specified in the Ethernet header. Notice in the following example how only one command can be configured. Therefore, entering multiple ip arp inspection validate commands overwrites the previous command. To include more than one validation method, enter them on the same command line as shown and verified in the following output.
S1(config)# ip arp inspection validate ? dst-mac Validate destination MAC address ip Validate IP addresses src-mac Validate source MAC address S1(config)# ip arp inspection validate src-mac S1(config)# ip arp inspection validate dst-mac S1(config)# ip arp inspection validate ip S1(config)# do show run | include validate ip arp inspection validate ip S1(config)# ip arp inspection validate src-mac dst-mac ip S1(config)# do show run | include validate ip arp inspection validate src-mac dst-mac ip S1(config)#
Syntax Checker – Mitigate ARP Attacks
Implement DAI for a switch based on the following topology and specified requirements.
You are currently logged into S1. Enable DHCP snooping globally for the switch.
S1(config)#ip dhcp snooping
Enter interface configuration mode for g0/1 – 2, trust the interfaces for both DHCP snooping and DAI, and then return to global configuration mode.
S1(config)#interface range g0/1 - 2 S1(config-if-range)#ip dhcp snooping trust S1(config-if-range)#ip arp inspection trust S1(config-if-range)#exit
Enable DHCP snooping and DAI for VLANs 10,20,30-49.
S1(config)#ip dhcp snooping vlan 10,20,30-49 S1(config)#ip arp inspection vlan 10,20,30-49 S1(config)#
You have successfully configured DAI for the switch.
Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.