DAI (Dynamic ARP Inspection)

Hello Florian

Remember that these two options are applied to ARP responses.
This means that the destination MAC address, that is the MAC address that the ARP reply is ACTUALLY being sent to is compared to the target MAC address in the ARP body which is the MAC address of the REAL ORIGINATOR of the ARP request. If these two are different, this means the ARP reply has been tampered with. This would be the case if an attacker took advantage of an ARP request that was made and replied to a different host to poison the ARP table of that host. This would be useful to an attacker on a network where Gratuitous ARP is not allowed.

I hope this has been helpful!

Laz

Hi Laz,

thanks for your reply. Could you explain this a bit further to me. I dont get it what the benefit could be if the Dest_MAC in the Ethernet header would be different to the Target_MAC in the ARP body!? As if this would be the case, the frame would be switched to the host with the respective MAC from the Ethernet header but then the host would check the MAC in the ARP body and realize its not his and drop the frame, no?
Also, how is it possible to deny Gratuitous ARP´s, as i thought those are a vital part of every interface for example!?

Thanks for your help!
Flo

Hello florian

My apologies for not responding sooner!

Keep in mind that the Sender hardware address and the target hardware addresses found within the ARP packet are not the source and destination MAC addresses found in the Ethernet header. Now you are correct when you say that:

DAI will cause such frames to drop so that they don’t actually reach the host. These are illegitimate packets and most likely come from a malicious source, so they should not be sent to the host. The host will not have to waste time and resources processing them.

As for this question, my apologies. I had the no ip gratuitous-arp command in mind but this just disables the sending of gratuitous ARP packets by the device itself and not the blocking of such packets from hosts.

I hope this has been helpful!

Laz

1 Like

“DAI checks the DHCP snooping database for all packets that arrive on untrusted interfaces, when it doesn’t find a match…the ARP packet is dropped.”

According to my understanding of the topic; If you configured the rogue dhcp_router interface as arp trusted interface, DAI will not check this as it only checks arp packets on untrusted interfaces.

Hello Waleed

Both your statement and the quoted statement are correct. DAI does indeed check the DCHP snooping database for all packets that arrive on untrusted interfaces. If the info in the ARP packet is not in the database, the ARP packet is dropped.

It is also true that if you connect a rogue dhcp router on a trusted interface, no check will be made against the DHCP snooping database.

Trusted, no check, untrusted check, and if the check does not pass, drop.

I hope this has been helpful!

Laz

1 Like

Dear Rene’
I need your help please : Following the packet tracer of DAI in this further link : https://networklessons.com/switching/dai-dynamic-arp-inspection , there is an important line : SW1(config)#ip arp inspection vlan 123
however it is not working at all : I use a 7.2 version of packet tracer (the latest) , but the CLI show en error below the word arp.
I wonder why. Please try to figure this out
Thanks
Oren

Hello Oren

Cisco Packet Tracer is what is known as a simulator. This means that it is configured to respond to commands in a similar manner to how a real Cisco IOS device would. Someone has programmed it to “act” like the IOS of a real device. Because of this, not all possible configuration options are available on packet tracer. There are many things that don’t work on it, and ARP inspection is one of them.

I went into my packet tracer and typed the command ip ? to see what available options exist. Here is what I get:

Switch(config)#ip ?
  access-list       Named access-list
  cef               Cisco Express Forwarding
  default-gateway   Specify default gateway (if not routing IP)
  default-network   Flags networks as candidates for default routes
  dhcp              Configure DHCP server and relay parameters
  domain            IP DNS Resolver
  domain-lookup     Enable IP Domain Name System hostname translation
  domain-name       Define the default domain name
  flow-export       Specify host/port to send flow statistics
  forward-protocol  Controls forwarding of physical and directed IP broadcasts
  ftp               FTP configuration commands
  host              Add an entry to the ip hostname table
  inspect           Context-based Access Control Engine
  ips               Intrusion Prevention System
  local             Specify local options
  name-server       Specify address of name server to use
  nat               NAT configuration commands
  route             Establish static routes
  routing           Enable IP routing
  ssh               Configure ssh options
  tcp               Global TCP parameters
Switch(config)#ip 

Notice that the “arp” keyword is not available. This is why the error is indicated under the word arp.

In order to test this, you will require the use of an emulator such as GNS3 and not a simulator like Packet Tracer. The emulator will allow you to run a REAL Cisco IOS file on your computer, providing you with all of the available commands of that IOS.

I hope this has been helpful!

Laz

Dear Laz
I’d tried to use GNS3 but it is a very heavy software, which needs a virtual machine - which is heavy too. After installing both, the photos of all devices need a licence. The main problem is that a switch can’t open a CLI without a virtual machine.
I’d spent more than wo days in order to figure all of this out , and I conclude that the effort is not worthy at all.
Sorry - but I won’t spend time and effort for something that is not working well.
Oren

Hello Oren

It is true that GNS3 does have some hefty requirements, but even so, it can be useful even on systems with fewer resources. The following has an excellent “getting started” documentation for GNS3 that may be of help.

Other than GNS3, the only other way to get labs done is using VIRL or using real equipment.

I hope this has been helpful!

Laz

Hello team,

I’ve noticed the tiniest typo in the text below. I think it means “like”.

1 Like

Hi Boris

Yes, you are correct, thanks for catching that! I’ll let @ReneMolenaar know.

Laz

Thank you @bvesel. Just fixed this!

Rene

There is nothing about ip source guard?

Hello Mauricio

IP Source Guard is a different feature to that of DAI. You can find out information about IPSG at the following lesson:

I hope this has been helpful!

Laz

Hi,

I’ve an issue on my home network with DAI configuration.

I’ve configured dhcp snooping with DAI features on all vlans.

In vlan 20 there is an AP that work with dhcp relay for the dhcp server.

At the first time, I can see the mac address of my notebook (xxxx.yyyy.zzzz) on the dhcp snooping bindings but after a while the port go on err-disabled for “arp-inspection” reason.

Log Buffer (4096 bytes):


ar 17 16:40:14.372: %SW_DAI-4-INVALID_ARP: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/0.0.0.0/0000.0000.0000/169.254.7.64/17:40:13 CET Tue Mar 17 2020])
Mar 17 16:40:15.374: %SW_DAI-4-INVALID_ARP: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/0.0.0.0/0000.0000.0000/169.254.7.64/17:40:14 CET Tue Mar 17 2020])
Mar 17 16:40:16.375: %SW_DAI-4-INVALID_ARP: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/0.0.0.0/0000.0000.0000/169.254.7.64/17:40:15 CET Tue Mar 17 2020])
Mar 17 16:40:17.376: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Gi0/5, vlan 20.([xxxx.yyyy.zzzz/169.254.7.64/0000.0000.0000/169.254.7.64/17:40:16 CET Tue Mar 17 2020])
Mar 17 20:19:21.303: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 152 milliseconds on Gi0/5.
Mar 17 20:19:21.303: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi0/5, putting Gi0/5 in err-disable state
Mar 17 20:19:22.315: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/5, changed state to down
Mar 17 20:19:23.316: %LINK-3-UPDOWN: Interface GigabitEthernet0/5, changed state to down

( i dont know what is 169.254.7.64 :S ), but I think that the issue happen when the entry on the dhcp snooping bindings expire and the wifi card try to obtain the same address from the dhcp server

SW1#show ip dhcp snooping binding 
MacAddress          IpAddress        Lease(sec)  Type           VLAN  Interface
------------------  ---------------  ----------  -------------  ----  --------------------
SOME:MAC:ADDRES:SS   192.168.20.20    57456       dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.99.54    7075        dhcp-snooping   99    GigabitEthernet0/4
SOME:MAC:ADDRES:SS   192.168.20.56    6971        dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.10.52    4614        dhcp-snooping   10    GigabitEthernet0/8
SOME:MAC:ADDRES:SS   192.168.20.54    5329        dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.20.51    4309        dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.20.53    6176        dhcp-snooping   20    GigabitEthernet0/5
SOME:MAC:ADDRES:SS   192.168.30.10    3631        dhcp-snooping   30    GigabitEthernet0/6
Total number of bindings: 8

SW1#

SW1#show interfaces status err-disabled 

Port      Name               Status       Reason               Err-disabled Vlans
Gi0/5     20_WLAN_AP         err-disabled arp-inspection
SW1#

SW1#show ip arp inspection vlan 20

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Enabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
   20     Disabled         Inactive    DAIVALIDATE_HOST   No 

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
   20     Deny             Deny              Off          


SW1#
    ip arp inspection vlan 10,20,30,99
    ip arp inspection validate ip 
    !         
    !         
    ip dhcp snooping vlan 10,20,30,99
    no ip dhcp snooping information option
    ip dhcp snooping

Can you help me to understand what cause the err-disabled state?Preformatted text

Hello Giovanni

It looks like the notebook is trying to obtain an IP address via DHCP, but it is unable to. The 169.254.7.64 address is a link local address that is given to a device that is configured to use DHCP, but cannot find a DHCP server. Microsoft uses this method for link local IPv4 address allocation. They call it Automatic Private IP Addressing (APIPA), and you can find out more about it here.

Having said that, it seems that the notebook is sending many DHCP requests. Based on the syslogs, it is this error that is causing the arp inspection error:

%SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 152 milliseconds on Gi0/5.

I believe that there is some problem with the DHCP configuration, the notebook is unable to reach the DHCP server, and is given a link local address. This address is then used for the ARP requests to reach the DHCP server, which in turn exceed the packet rate.

I suggest you do the following to troubleshoot the issue:

  1. examine that your DHCP and DHCP relay configurations are correct
  2. try to increase the packet rate limiting on the interface, as it may be too low. Use this command reference to help.
  3. You may also need to add the following command in the device configured as a DHCP relay: ip dhcp relay information trust-all. More information on this here.

I also suggest you try to make the topology work without using snooping to see if it is your DHCP configuration alone that is causing the problem, or the introduction of the snooping feature.

I hope this helps you in your troubleshooting procedure… Let us know how it goes.

I hope this has been helpful!

Laz

2 Likes

Hi Laz ,
Hope you are doing well , i have a query why the switch interface required to configured on vlan 123 as all interface of switch placed in default vlan 1 .What was the reason behind this ?

SW1(config)#interface range fa0/1 - 3
SW1(config-if-range)#switchport mode access
SW1(config-if-range)#**switchport access vlan 123**
SW1(config-if-range)#spanning-tree portfast

Regards
Chaudhary Shivam Chahal

Hello Shivam

All three interfaces simply have to be in the same VLAN. Yes, they could have been in the default VLAN 1, but Rene chose to use 123. It doesn’t make a difference, but it just stresses the necessity of having all the ports in the same VLAN.

Having said that, in any network, it’s always best practice to avoid using VLAN 1 for your networks.

I hope this has been helpful!

Laz

Hi Team,

I did not understand the arp validate points made with dst-src mac and ip. can you explain this with an example.

Hello Justin

For the DAI options described in the following command:

SW1(config)#ip arp inspection validate ?
  dst-mac  Validate destination MAC address
  ip       Validate IP addresses
  src-mac  Validate source MAC address

The dst-mac option compares the target MAC address field within the ARP payload, with the destination MAC address of the ARP packet itself. These two values should be the same. The target MAC address field, more appropriately known as the Target Hardware Address (THA) field, contains the MAC address of the host that originated the ARP request. This should be the same MAC address as the destination of the ARP reply. A reply should always be sent to the device that originated the request. If this is not the case, then the ARP reply was originally requested by another host, potentially a malicious one.

The ip option is used to determine if the Sender Protocol Address (SPA) field in the ARP payload contains any unusual IP addresses such as 0.0.0.0, or a multicast address. The SPA field contains the IP address of the originator of the ARP request. If this address is unrecognized, then it is likely that the ARP reply is sent from a malicious host, so such ARP packets are dropped. This check is applied to both requests and replies.

I hope this has been helpful!

Laz