What is DAI (Dynamic ARP Inspection)? | How to configure Dynamic ARP Inspection DAI? | Cyber-attack prevention | ARP Poisoning prevention.

Edgar C Francis
10 min readNov 24, 2023

--

Dynamic ARP Inspection

ARP (Address Resolution Protocol) it’s a communication protocol. Networking devices are used for discovering MAC (media access control) addresses, associating with an IPv4 address (internet layer address), and mapping the MAC addresses to IPv4 addresses, this mapping is done dynamically and stored in the ARP cache. ARP works between layer 2 and layer 3 of the OSI because the MAC address exists on the data link layer and the IP address exists on the network layer. In other words, Address Resolution Protocol (ARP) is a Layer 2 protocol that maps an IP address (Layer 3) to a MAC address (Layer 2).

DAI dynamic ARP inspection is a security feature that is used to protect ARP from ARP poisoning attacks. DAI checks all ARP packets on an untrusted interface and by default all the interfaces are untrusted and these untrusted interfaces undergo DAI validation. DAI compares the information in the ARP packets received on an untrusted port with the DHCP snooping database and ARP access list. Once the information is matched it will forward but if not match, it will discard ARP packets with invalid MAC addresses to IP address bindings. This is how DAI prevent ARP Poisoning (man-in-the-middle) attack by intercepting all ARP request and responses. DIA verified for valid MAC address to IP address binding before the packet is forwarded to the destination.

An attacker may also send a large number of ARP messages and harm our switch CPU utilization. In order to prevent this attack, we need to limit the Dynamic ARP inspection message rate and interval. after implementing DAI some services may break, such as proxy ARP but there is a solution, configure some ports as trusted for DAI.

Let’s see the configuration to get a better understanding.

Topology: -

  • configure the topology as per the diagram
  • configure VLAN 100, name DAI
  • assign all the active ports in VLAN 100
  • configure Portfast on all the active access port
  • configure the IP address on fa0/0 192.168.1.1/24
  • configure DHCP server the IP 192.168.1.0/24
  • configure DNS IP 192.168.1.80
  • configure Eth 1/0 trusted for DHCP
  • configure switch to prevent ARP poisoning attack on VLAN 100
  • configure DHCP snooping on VLAN 100
  • make sure PC ethernet 0/2 by pass DAI inspection and ping default gateway
  • configure the ARP access list and bind the IP to MAC for untrusted active ports
  • make sure all the untrusted ports undergo the inspection.
  • configure ARP inspection interval and message rate 8 limit

configure VLAN 100, name DAI

switch1(config)#vlan 100

switch1(config-vlan)#name DAI

switch1(config-vlan)#exit

switch1(config)#end

switch1#show vlan brief

VLAN Name Status Ports

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

1 default active Et0/0, Et0/1, Et0/2, Et0/3

Et1/0, Et1/1, Et1/2, Et1/3

Et2/0, Et2/1, Et2/2, Et2/3

Et3/0, Et3/1, Et3/2, Et3/3

100 DAI active

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

assign all the active ports in VLAN 100 and configure Portfast on all the active access port

switch1(config)#interface range ethernet 0/0–3

switch1(config-if-range)#switchport mode access

switch1(config-if-range)#switchport access vlan 100

switch1(config-if-range)#spanning-tree portfast

switch1(config-if-range)#exit

%Warning: portfast should only be enabled on ports connected to a single

host. Connecting hubs, concentrators, switches, bridges, etc… to this

interface when portfast is enabled, can cause temporary bridging loops.

Use with CAUTION

%Portfast will be configured in 4 interfaces due to the range command

but will only have effect when the interfaces are in a non-trunking mode.

switch1(config)#interface ethernet 1/0

switch1(config-if)#switchport access vlan 100

switch1(config-if)#exit

switch1(config)#end

switch1#show vlan brief

VLAN Name Status Ports

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

1 default active Et1/1, Et1/2, Et1/3, Et2/0

Et2/1, Et2/2, Et2/3, Et3/0

Et3/1, Et3/2, Et3/3

100 DAI active Et0/0, Et0/1, Et0/2, Et0/3

Et1/0

1002 fddi-default act/unsup

1003 token-ring-default act/unsup

1004 fddinet-default act/unsup

1005 trnet-default act/unsup

configure the IP address on the router (DHCP SERVER) fa0/0 192.168.1.1/24

R1(config)#interface fastEthernet 0/0

R1(config-if)#ip address 192.168.1.1 255.255.255.0

R1(config-if)#no shutdown

R1(config-if)#exit

configure DHCP server the IP 192.168.1.0/24 and configure DNS IP 192.168.1.80

R1(config)#hostname IP_DHCP_SERVER_

IP_DHCP_SERVER_(config)#ip dhcp pool DHCP_SERVER

IP_DHCP_SERVER_(dhcp-config)#network 192.168.1.0 255.255.255.0

IP_DHCP_SERVER_(dhcp-config)#default-router 192.168.1.1

IP_DHCP_SERVER_(dhcp-config)#dns-server 192.168.1.80

IP_DHCP_SERVER_(dhcp-config)#exit

IP_DHCP_SERVER_(config)#ip dhcp excluded-address 192.168.1.1

IP_DHCP_SERVER_(config)#ip dhcp excluded-address 192.168.1.80

IP_DHCP_SERVER_(config)#exit

configure Eth 1/0 trusted for DHCP and configure snooping

switch1(config)#ip dhcp snooping vlan 100

switch1(config)#ip dhcp snooping information option

switch1(config)#interface ethernet 1/0

switch1(config-if)#ip dhcp snooping trust

switch1(config-if)#exit

(From PC 1)

PC1> ip dhcp
DDORA IP 192.168.1.2/24 GW 192.168.1.1
PC1> show ip
NAME : PC1[1]
IP/MASK : 192.168.1.2/24
GATEWAY : 192.168.1.1
DNS : 192.168.1.80
DHCP SERVER : 192.168.1.1
DHCP LEASE : 86395, 86400/43200/75600
MAC : 00:50:79:66:68:02
LPORT : 10008
RHOST:PORT : 127.0.0.1:10009
MTU: : 1500

(From PC 2)

PC2> ip dhcp

DDORA IP 192.168.1.3/24 GW 192.168.1.1

PC2> show ip
NAME : PC2[1]
IP/MASK : 192.168.1.3/24
GATEWAY : 192.168.1.1
DNS : 192.168.1.80
DHCP SERVER : 192.168.1.1
DHCP LEASE : 86341, 86400/43200/75600
MAC : 00:50:79:66:68:01
LPORT : 10010
RHOST:PORT : 127.0.0.1:10011
MTU: : 1500

(From PC 3)

PC3> ip dhcp

DDORA IP 192.168.1.4/24 GW 192.168.1.1

PC3> show ip

NAME : PC3[1]

IP/MASK : 192.168.1.4/24

GATEWAY : 192.168.1.1

DNS : 192.168.1.80

DHCP SERVER : 192.168.1.1

DHCP LEASE : 86368, 86400/43200/75600

MAC : 00:50:79:66:68:00

LPORT : 10012

RHOST:PORT : 127.0.0.1:10013

MTU: : 1500

PC4> ip dhcp

DDORA IP 192.168.1.5/24 GW 192.168.1.1

PC4> show ip

NAME : PC4[1]

IP/MASK : 192.168.1.5/24

GATEWAY : 192.168.1.1

DNS : 192.168.1.80

DHCP SERVER : 192.168.1.1

DHCP LEASE : 86397, 86400/43200/75600

MAC : 00:50:79:66:68:03

LPORT : 10007

RHOST:PORT : 127.0.0.1:10014

MTU: : 1500

(On Router)

IP_DHCP_SERVER_#show ip dhcp binding

Bindings from all pools not associated with VRF:

IP address Client-ID/ Lease expiration Type

Hardware address/

User name

192.168.1.2 0100.5079.6668.02 Oct 02 2023 03:55 PM Automatic

192.168.1.3 0100.5079.6668.01 Oct 02 2023 03:57 PM Automatic

192.168.1.4 0100.5079.6668.00 Oct 02 2023 03:57 PM Automatic

192.168.1.5 0100.5079.6668.03 Oct 02 2023 04:00 PM Automatic

IP_DHCP_SERVER_#show ip dhcp pool

Pool DHCP_SERVER :

Utilization mark (high/low) : 100 / 0

Subnet size (first/next) : 0 / 0

Total addresses : 254

Leased addresses : 4

Pending event : none

1 subnet is currently in the pool :

Current index IP address range Leased addresses

192.168.1.6 192.168.1.1–192.168.1.254 4

(Before configuring ARP inspection DAI)

PC1> ping 192.168.1.5

84 bytes from 192.168.1.5 icmp_seq=1 ttl=64 time=2.620 ms

84 bytes from 192.168.1.5 icmp_seq=2 ttl=64 time=1.628 ms

84 bytes from 192.168.1.5 icmp_seq=3 ttl=64 time=1.110 ms

84 bytes from 192.168.1.5 icmp_seq=4 ttl=64 time=2.384 ms

84 bytes from 192.168.1.5 icmp_seq=5 ttl=64 time=1.534 ms

PC2> ping 192.168.1.4

84 bytes from 192.168.1.4 icmp_seq=1 ttl=64 time=2.707 ms

84 bytes from 192.168.1.4 icmp_seq=2 ttl=64 time=2.670 ms

84 bytes from 192.168.1.4 icmp_seq=3 ttl=64 time=1.962 ms

84 bytes from 192.168.1.4 icmp_seq=4 ttl=64 time=1.380 ms

84 bytes from 192.168.1.4 icmp_seq=5 ttl=64 time=2.463 ms

PC3> ping 192.168.1.2

84 bytes from 192.168.1.2 icmp_seq=1 ttl=64 time=2.249 ms

84 bytes from 192.168.1.2 icmp_seq=2 ttl=64 time=1.912 ms

84 bytes from 192.168.1.2 icmp_seq=3 ttl=64 time=1.970 ms

84 bytes from 192.168.1.2 icmp_seq=4 ttl=64 time=1.298 ms

84 bytes from 192.168.1.2 icmp_seq=5 ttl=64 time=1.464 ms

PC4> ping 192.168.1.1

84 bytes from 192.168.1.1 icmp_seq=1 ttl=255 time=31.796 ms

84 bytes from 192.168.1.1 icmp_seq=2 ttl=255 time=30.672 ms

84 bytes from 192.168.1.1 icmp_seq=3 ttl=255 time=32.262 ms

84 bytes from 192.168.1.1 icmp_seq=4 ttl=255 time=32.742 ms

84 bytes from 192.168.1.1 icmp_seq=5 ttl=255 time=15.686 ms

(As you can see all the PCs are able to communicate with each other)

configure switch to prevent ARP poisoning attack on VLAN 100

switch1(config)#ip arp inspection vlan 100

PC1> ping 192.168.1.5

host (192.168.1.5) not reachable

PC1> ping 192.168.1.4

host (192.168.1.4) not reachable

*Oct 1 10:38:45.300: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.5/10:38:44 UTC Sun Oct 1 2023])
*Oct 1 10:38:46.305: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.5/10:38:45 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:38:47.309: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.5/10:38:46 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:38:53.394: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.4/10:38:52 UTC Sun Oct 1 2023])
*Oct 1 10:38:54.408: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.4/10:38:53 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:38:55.409: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.4/10:38:54 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:39:15.637: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.1/10:39:15 UTC Sun Oct 1 2023])
*Oct 1 10:39:16.641: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.1/10:39:16 UTC Sun Oct 1 2023])
switch1#
*Oct 1 10:39:17.664: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Et0/0, vlan 100.([0050.7966 .6802/192.168.1.2/ffff.ffff.ffff/192.168.1.1/10:39:17 UTC Sun Oct 1 2023])

(you can see the result)

PC3> show ip

NAME : PC3[1]

IP/MASK : 192.168.1.4/24

GATEWAY : 192.168.1.1

DNS : 192.168.1.80

DHCP SERVER : 192.168.1.1

DHCP LEASE : 84429, 86400/43200/75600

MAC : 00:50:79:66:68:00

LPORT : 10012

RHOST:PORT : 127.0.0.1:10013

MTU: : 1500

PC3> ping 192.168.1.3

host (192.168.1.3) not reachable

PC3> ping 192.168.1.5

host (192.168.1.5) not reachable

PC3> ping 192.168.1.2

host (192.168.1.2) not reachable

(make sure PC ethernet 0/2 by pass DAI inspection and ping default gateway)

switch1(config)#interface ethernet 0/2

switch1(config-if)#ip arp inspection trust

switch1(config-if)#exit

PC3> ping 192.168.1.1

84 bytes from 192.168.1.1 icmp_seq=1 ttl=255 time=33.949 ms

84 bytes from 192.168.1.1 icmp_seq=2 ttl=255 time=31.255 ms

84 bytes from 192.168.1.1 icmp_seq=3 ttl=255 time=33.249 ms

84 bytes from 192.168.1.1 icmp_seq=4 ttl=255 time=16.617 ms

84 bytes from 192.168.1.1 icmp_seq=5 ttl=255 time=17.280 ms

switch1#show ip arp inspection interfaces

Interface Trust State Rate (pps) Burst Interval

— — — — — — — — — — — — — — — — — — — — — — — — — —

Et0/0 Untrusted 15 1

Et0/1 Untrusted 15 1

Et0/2 Trusted None N/A

Et0/3 Untrusted 15 1

(as you can see PC3 bypasses the DAI inspection because we configure the port trusted)

configure the ARP access list bind the IP to MAC for untrusted active ports and make sure all the untrusted ports undergo the inspection.

switch1(config)#arp access-list ARP-ACL-VLAN100

switch1(config-arp-nacl)#permit ip host 192.168.1.2 mac host 00:50:79:66:68:02 log

switch1(config-arp-nacl)#permit ip host 192.168.1.3 mac host 00:50:79:66:68:01 log

switch1(config-arp-nacl)#permit ip host 192.168.1.5 mac host 00:50:79:66:68:03 log

switch1(config-arp-nacl)#exit

switch1#show arp access-list ARP-ACL-VLAN100

ARP access list ARP-ACL-VLAN100

permit ip host 192.168.1.2 mac host 0050.7966.6802 log

permit ip host 192.168.1.3 mac host 0050.7966.6801 log

permit ip host 192.168.1.5 mac host 0050.7966.6803 log

switch1(config)#ip arp inspection vlan 100

switch1(config)#ip arp inspection filter ARP-ACL-VLAN100 vlan 100

switch1(config)#end

switch1#show ip arp inspection vlan 100

Source Mac Validation : Disabled

Destination Mac Validation : Disabled

IP Address Validation : Disabled

Vlan Configuration Operation ACL Match Static ACL

— — — — — — — — — — — — — — — — — — — — — — — —

100 Enabled Active ARP-ACL-VLAN100 No

Vlan ACL Logging DHCP Logging Probe Logging

— — — — — — — — — — — — — — — — — — — — -

100 Deny Deny Off

switch1#show ip arp inspection statistics

Vlan Forwarded Dropped DHCP Drops ACL Drops

— — — — — — — — — — — — — — — — — — — — -

100 50 69 69 0

switch1#show ip arp inspection interfaces

Interface Trust State Rate (pps) Burst Interval

— — — — — — — — — — — — — — — — — — — — — — — — — —

Et0/0 Untrusted 15 1

Et0/1 Untrusted 15 1

Et0/2 Trusted None N/A

Et0/3 Untrusted 15 1

Et1/0 Trusted None N/A

Et1/1 Untrusted 15 1

Et1/2 Untrusted 15 1

Et1/3 Untrusted 15 1

Et2/0 Untrusted 15 1

Et2/1 Untrusted 15 1

Et2/2 Untrusted 15 1

Et2/3 Untrusted 15 1

Et3/0 Untrusted 15 1

Et3/1 Untrusted 15 1

Et3/2 Untrusted 15 1

Et3/3 Untrusted 15 1

(now let ping from PC 1 to all PCs)

PC1> ping 192.168.1.3

84 bytes from 192.168.1.3 icmp_seq=1 ttl=64 time=3.416 ms

84 bytes from 192.168.1.3 icmp_seq=2 ttl=64 time=2.876 ms

84 bytes from 192.168.1.3 icmp_seq=3 ttl=64 time=3.075 ms

84 bytes from 192.168.1.3 icmp_seq=4 ttl=64 time=2.928 ms

84 bytes from 192.168.1.3 icmp_seq=5 ttl=64 time=3.170 ms

PC1> ping 192.168.1.4

84 bytes from 192.168.1.4 icmp_seq=1 ttl=64 time=4.271 ms

84 bytes from 192.168.1.4 icmp_seq=2 ttl=64 time=2.606 ms

84 bytes from 192.168.1.4 icmp_seq=3 ttl=64 time=3.097 ms

84 bytes from 192.168.1.4 icmp_seq=4 ttl=64 time=3.117 ms

84 bytes from 192.168.1.4 icmp_seq=5 ttl=64 time=3.303 ms

PC1> ping 192.168.1.5

84 bytes from 192.168.1.5 icmp_seq=1 ttl=64 time=2.388 ms

84 bytes from 192.168.1.5 icmp_seq=2 ttl=64 time=3.150 ms

84 bytes from 192.168.1.5 icmp_seq=3 ttl=64 time=2.495 ms

84 bytes from 192.168.1.5 icmp_seq=4 ttl=64 time=2.874 ms

84 bytes from 192.168.1.5 icmp_seq=5 ttl=64 time=2.822 ms

(as you can see after the DAI inspection switch allow the packets)

switch1(config)#interface ethernet 0/2

switch1(config-if)#ip arp inspection limit rate 8 burst interval 4

switch1(config-if)#exit

switch1#show ip arp inspection interfaces

Interface Trust State Rate (pps) Burst Interval

— — — — — — — — — — — — — — — — — — — — — — — — — —

Et0/0 Untrusted 15 1

Et0/1 Untrusted 15 1

Et0/2 Trusted 8 4

Et0/3 Untrusted 15 1

Et1/0 Trusted None N/A

Et1/1 Untrusted 15 1

Et1/2 Untrusted 15 1

Et1/3 Untrusted 15 1

Et2/0 Untrusted 15 1

Et2/1 Untrusted 15 1

Et2/2 Untrusted 15 1

Et2/3 Untrusted 15 1

Et3/0 Untrusted 15 1

Et3/1 Untrusted 15 1

Et3/2 Untrusted 15 1

Et3/3 Untrusted 15 1

IP HOPE YOU LIKE THIS BLOG, PLEASE VISIT TO OUR YOUTUBE CHANNEL https://www.youtube.com/watch?v=MTxiB4qVNho&list=PLujCKV9ySV1-TCNaVC9nl-guj9FgXLf-m

--

--

Edgar C Francis
Edgar C Francis

Written by Edgar C Francis

I am a CCIE Technical Instructor/Network consultant. I am having experience ranging from operating and maintaining PCs and peripherals to network control

No responses yet