Mitigate with ARP Inspection
- Uses DHCP Snooping DB/Table
- Can use Static ARP ACL to Map
- To Trust or Not to Trust
- Header to Payload Validation
! ARP inspection uses the DHCP Snooping table
SW2#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:0C:29:16:57:AC 10.123.0.3 85971 dhcp-snooping 123 FasEthernet0/2
B8:27:EB:51:1A:F6 10.123.0.4 82867 dhcp-snooping 123 FasEthernet0/5
Total number of bindings: 2
! Configure ARP Inspection
SW2(config)#ip arp inspection vlan 123
SW2(config)#do show ip arp inspection vlan 123
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
123 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
123 Deny Deny Off
! Configure Trunk port
SW2(config)#int fas 0/2
SW2(config-if)#description trunk port
SW2(config-if)#ip arp inspection trust
! Configure Access port
SW2(config)#int fas 0/1
SW2(config-if)#description user port
SW2(config-if)#ip arp inspection limit rate 10
*** Logs after Attack
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0/1, vlan 123. ([b827.eb51.1af6/10.123.0.6.57ac/10.123.0.3/01:23:03 UTC Mon May 4 1991])
*** Logs after make some Nmap
%SW_DAI-4-PACKET_RATE_EXCEEDED: 11 packets recived in 25 milliseconds on Fa0/1.
%PM-4-ERR_DISABLE: arp-inspection error detected on Fa0/1, putting Fa0/1 in err-disable state
* For more info use :
SW2#show interfaces status err-disable
SW2#show ip arp inspection statistics vlan 123
! Configure 3 more additional validation check
SW2(config)#ip arp inspection validate src-mac dst-mac ip
SW2(config)#do show ip arp inspection vlan 123
Source Mac Validation : Enabled <---
Destination Mac Validation : Enabled <---
IP Address Validation : Enabled <---
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
123 Enabled Active
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
123 Deny Deny Off
! Configure ARP Access List For R1
SW2(config)#interface fastEthernet 0/3
SW2(config-if)#description Trunk to R1
SW2(config-if)#exit
SW2(config)#arp access-list OUR-ARP-ACL
SW2(config-arp-nacl)#permit ip host 10.123.0.1 mac host 001f.9e00.ee89
! Verify
SW2(config-arp-nacl)#do show arp access-list OUR-ARP-ACL
ARP access list OUR-ARP-ACL
permit ip host 10.123.0.1 mac host 001f.9e00.ee89
! Apply ACL Filter
SW2(config)#ip arp inspection filter OUR-ARP-ACL vlan 123
SW2(config)#do show ip arp inspection vlan 123
Source Mac Validation : Enabled
Destination Mac Validation : Enabled
IP Address Validation : Enabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
123 Enabled Active OUR-ARP-ACL No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
123 Deny Deny Off
! Auto Re-enable port
SW2(config)#errdisable recovery cause arp-inspection
SW2(config)#errdisable
root@kali#arpspoof -i eth0 -t 10.123.0.3 10.123.0.1
b8:27:eb:51:1a:f6 0:c:29:16:57:ac 0806 42: arp reply 10.123.0.1 is-at b8:27:eb:51:1a:f6
SWITCH LOG
%SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Gi0/2, vlan 123 ([b827.eb51.1af6/10.123.0.1/0:
SW2(config)#do show ip arp inspection statistics vlan 123
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- -------- ---------- ---------
123 40 24 24 0
Vlan DHCP Permits ACL Permits Probe Permits Secure MAC Failure
---- ------------ ----------- ------------- ------------------
123 25 11 0 0
Vlan Dest MAC Failure IP Validation Failure Invalid Protocol Data
----- ---------------- --------------------- -----------------------
123 0 0 0
