WEBVTT 0:00:02.880000 --> 0:00:06.980000 Hello and welcome to this video titled, Configuring Dynamic ARP Inspection 0:00:06.980000 --> 0:00:13.380000 in Cisco iOS. In this video, I'm going to show you the various configuration 0:00:13.380000 --> 0:00:17.080000 commands for dynamic ARP inspection, both the essential ones to get it 0:00:17.080000 --> 0:00:21.260000 working, as well as some optional commands that you may choose to use. 0:00:21.260000 --> 0:00:26.220000 I'll look at how do we incorporate dynamic ARP inspection for devices 0:00:26.220000 --> 0:00:29.280000 like servers and routers that have static IP addresses? 0:00:29.280000 --> 0:00:31.720000 We'll look at how to deal with that. 0:00:31.720000 --> 0:00:35.680000 We'll get into the details of the ARP packet and see what specific fields 0:00:35.680000 --> 0:00:42.480000 in ARP requests and replies are checked or validated by dynamic ARP inspection. 0:00:42.480000 --> 0:00:45.260000 And lastly, I'll show you some commands for verification and monitoring 0:00:45.260000 --> 0:00:47.780000 that this feature is actually working. 0:00:47.780000 --> 0:00:52.960000 So let's start with the basic configuration of dynamic ARP inspection. 0:00:52.960000 --> 0:00:54.580000 Real simple to get it working. 0:00:54.580000 --> 0:00:58.660000 Step number one, you want to identify the VLAN where you want to turn 0:00:58.660000 --> 0:01:03.420000 this guy on. And then you just say, IP ARP inspection VLAN and whatever 0:01:03.420000 --> 0:01:04.820000 that VLAN number is. 0:01:04.820000 --> 0:01:07.740000 So no, this is done at the global configuration level here. 0:01:07.740000 --> 0:01:12.840000 So once you do this, all the access ports and trunks in that VLAN will 0:01:12.840000 --> 0:01:17.400000 become untrusted as far as dynamic ARP inspection is concerned, which 0:01:17.400000 --> 0:01:21.340000 means that any ARP packet, whether it be a request or a reply, that's 0:01:21.340000 --> 0:01:25.200000 received on those untrusted interfaces will not pass through the switch 0:01:25.200000 --> 0:01:30.740000 unless we can first validate it against the DHCP snooping binding database. 0:01:30.740000 --> 0:01:33.920000 So of course, this assumes that you already have previously configured 0:01:33.920000 --> 0:01:37.160000 DHCP snooping and you've got that up and running. 0:01:37.160000 --> 0:01:42.920000 Now, if you have an interface that directly leads to a known trusted host 0:01:42.920000 --> 0:01:46.700000 that has a static IP address, for example, an interface that leads to 0:01:46.700000 --> 0:01:49.960000 a router, which is serving as a default gateway, or maybe an interface 0:01:49.960000 --> 0:01:54.500000 that leads to a server with a static IP address, then we can't validate 0:01:54.500000 --> 0:01:57.060000 those because those didn't do DHCP. 0:01:57.060000 --> 0:02:00.980000 So we want to make those interfaces as trusted interfaces. 0:02:00.980000 --> 0:02:06.240000 Now, sometimes making interface trusted isn't the best solution. 0:02:06.240000 --> 0:02:12.300000 For example, let's say I have a switch right here. 0:02:12.300000 --> 0:02:16.160000 And all these interfaces here, let's just make these little circles as 0:02:16.160000 --> 0:02:20.240000 hosts. So I want to make all these untrusted because any one of these 0:02:20.240000 --> 0:02:23.340000 hosts could perform an attack if they wanted to. 0:02:23.340000 --> 0:02:28.020000 And then I have another interface here that maybe connects to a smaller 0:02:28.020000 --> 0:02:34.780000 switch. And maybe my router or my server, whatever it is, is hanging off 0:02:34.780000 --> 0:02:40.660000 of this. Now, I decide that I want to do dynamic ARP inspection on the 0:02:40.660000 --> 0:02:43.640000 top switch. Well, here's the problem. 0:02:43.640000 --> 0:02:50.200000 If I make this interface right here, a trusted interface, then that opens 0:02:50.200000 --> 0:02:53.620000 me up to attacks because if somebody else connects to this switch down 0:02:53.620000 --> 0:02:58.280000 here, if any host connects to that, now they can start sending ARP requests 0:02:58.280000 --> 0:03:01.600000 or replies and it's not going to be validated because that's a trusted 0:03:01.600000 --> 0:03:07.440000 interface. So in this particular case, we're going to want to leave that 0:03:07.440000 --> 0:03:13.180000 as an untrusted port, which it will be by default the moment we turn on 0:03:13.180000 --> 0:03:14.900000 dynamic ARP inspection. 0:03:14.900000 --> 0:03:19.580000 And instead, on the switch, we want to configure what's called an ARP 0:03:19.580000 --> 0:03:24.880000 access list. We want to configure an ARP access list that's matching against 0:03:24.880000 --> 0:03:30.080000 the IP address of the router and the MAC address of the router. 0:03:30.080000 --> 0:03:32.980000 So we'll have to get that first, we'll have to log into that router and 0:03:32.980000 --> 0:03:35.900000 find out what his IP address and MAC address is. 0:03:35.900000 --> 0:03:44.120000 Then we want to configure an ARP ACL that's permitting these things here 0:03:44.120000 --> 0:03:49.860000 and then have dynamic ARP inspection use that ARP access list for its 0:03:49.860000 --> 0:03:53.260000 validation. That way, we don't have to worry about these guys down here 0:03:53.260000 --> 0:03:57.920000 performing attacks because they're coming in on an untrusted interface. 0:03:57.920000 --> 0:03:58.860000 So how do we do that? 0:03:58.860000 --> 0:04:01.080000 How do we create an ARP access list? 0:04:01.080000 --> 0:04:03.020000 Well, that's also very simple. 0:04:03.020000 --> 0:04:09.340000 So you start out by typing at the global level ARP access dash list and 0:04:09.340000 --> 0:04:14.060000 then give it a descriptive name like router or whatever. 0:04:14.060000 --> 0:04:16.620000 And then that puts you into config dash ACL mode. 0:04:16.620000 --> 0:04:21.940000 From there, you say permit IP host, the IP address of the router's interface, 0:04:21.940000 --> 0:04:26.260000 MAC host, and the MAC address of the router's interface. 0:04:26.260000 --> 0:04:28.260000 So now your ARP access list is done. 0:04:28.260000 --> 0:04:31.560000 The last thing we need to do is get dynamic ARP inspection to reference 0:04:31.560000 --> 0:04:34.060000 this ARP access list. 0:04:34.060000 --> 0:04:36.840000 So that is also done at the global configuration level here. 0:04:36.840000 --> 0:04:42.440000 We say IP ARP inspection filter, reference the name of the ACL, and then 0:04:42.440000 --> 0:04:44.980000 say VLAN and then whatever your VLAN is. 0:04:44.980000 --> 0:04:48.000000 Now notice at the end of this ARP inspection filter command, there's a 0:04:48.000000 --> 0:04:52.160000 static keyword. You probably don't want to use that. 0:04:52.160000 --> 0:04:56.960000 What that static keyword does is it tells dynamic ARP inspection only 0:04:56.960000 --> 0:05:01.620000 use this ARP access list for validation of ARP packets. 0:05:01.620000 --> 0:05:06.220000 Don't even bother checking to see if there's a DHCP snooping binding database. 0:05:06.220000 --> 0:05:07.740000 We're not going to use that. 0:05:07.740000 --> 0:05:10.000000 We're just going to use the ARP access list. 0:05:10.000000 --> 0:05:13.760000 So that's what will happen if you use the keyword of static. 0:05:13.760000 --> 0:05:17.480000 And I'm sure there are some very good use cases for that, but just be 0:05:17.480000 --> 0:05:20.820000 aware that that's what will happen if you put in that keyword there. 0:05:20.820000 --> 0:05:25.560000 All right, so here we have the ARP packet. 0:05:25.560000 --> 0:05:29.480000 And this particular ARP packet, the direction it's going is from right 0:05:29.480000 --> 0:05:32.960000 to left. So here's our ethernet header, our standard ethernet header of 0:05:32.960000 --> 0:05:36.220000 our destination MAC, source MAC address, and type code. 0:05:36.220000 --> 0:05:39.460000 And notice the type code is 806 for ARP. 0:05:39.460000 --> 0:05:43.880000 And then the body of this, that is the actual ARP packet itself. 0:05:43.880000 --> 0:05:48.840000 So the opcode right here, depending on what the opcode is, will indicate 0:05:48.840000 --> 0:05:53.640000 whether this is a request or an ARP reply packet. 0:05:53.640000 --> 0:05:56.380000 But most of it's the same other than the opcode. 0:05:56.380000 --> 0:06:01.040000 All right, so when we enable dynamic ARP inspection, which of these fields 0:06:01.040000 --> 0:06:04.860000 is validated against the DHCP snooping binding database? 0:06:04.860000 --> 0:06:10.940000 Well, by default, what's checked is the sender's MAC and the sender's 0:06:10.940000 --> 0:06:18.120000 IP address. So if my laptop was generating an ARP request for my default 0:06:18.120000 --> 0:06:23.460000 gateway, let's say, then the sender's MAC would be my MAC, sender's IP 0:06:23.460000 --> 0:06:25.900000 address would be my IP address. 0:06:25.900000 --> 0:06:31.080000 And presumably that would already have been learned in the switch in the 0:06:31.080000 --> 0:06:33.120000 DHCP snooping binding database. 0:06:33.120000 --> 0:06:37.820000 So these two fields are what would be checked against that binding database. 0:06:37.820000 --> 0:06:42.680000 And similarly, if the router is responding back to me, well, then the 0:06:42.680000 --> 0:06:46.280000 router will use its sender MAC and its sender IP address, because the 0:06:46.280000 --> 0:06:50.520000 router has a static IP address, well, presumably it's connected to a trusted 0:06:50.520000 --> 0:06:54.740000 port, so we're not even going to validate it at all, unless we're validating 0:06:54.740000 --> 0:06:57.520000 it against an ARP access list instead. 0:06:57.520000 --> 0:07:02.180000 Now, optionally, you can have a little bit more validation turned on with 0:07:02.180000 --> 0:07:04.760000 the IP ARP inspection validate command. 0:07:04.760000 --> 0:07:08.080000 And you can see here, we can also validate the source MAC address and 0:07:08.080000 --> 0:07:13.040000 the Ethernet header itself, the destination MAC address, and the target 0:07:13.040000 --> 0:07:19.660000 IP address. Now, the way that works is that if we let's take each one 0:07:19.660000 --> 0:07:22.260000 of these individual, like, for example, let's take the source MAC address, 0:07:22.260000 --> 0:07:23.920000 let's go back to that one. 0:07:23.920000 --> 0:07:28.040000 So if I say IP ARP inspection validates source MAC address, so what will 0:07:28.040000 --> 0:07:30.800000 actually be validated or checked? 0:07:30.800000 --> 0:07:34.620000 First of all, this part will be validated as normal. 0:07:34.620000 --> 0:07:38.000000 And if I'm validating the source MAC address, it'll check to see if the 0:07:38.000000 --> 0:07:42.360000 source MAC address is the same as the sender's MAC address. 0:07:42.360000 --> 0:07:46.340000 Those two things will have to be equal, because in a normal ARP packet, 0:07:46.340000 --> 0:07:49.960000 whether it be a request or reply, they would be equal. 0:07:49.960000 --> 0:07:53.380000 So if those two fields are different, then that's usually an indication 0:07:53.380000 --> 0:07:58.460000 of a forged ARP packet that didn't really come from who it says it's coming 0:07:58.460000 --> 0:08:03.280000 from, and that would cause the pack to fail the validation and to be dropped. 0:08:03.280000 --> 0:08:10.480000 Similarly, if we check, if we go in here, and we add in the destination 0:08:10.480000 --> 0:08:17.040000 MAC address, then what's going to happen is the destination MAC address 0:08:17.040000 --> 0:08:23.660000 will be checked against the target MAC address, and those two will have 0:08:23.660000 --> 0:08:33.620000 to be the same. And then lastly, if we choose to also add in IP, which 0:08:33.620000 --> 0:08:39.240000 is on the right there, then what's going to happen is the target IP address 0:08:39.240000 --> 0:08:44.780000 field that we is going to be checked for the presence of a real legitimate 0:08:44.780000 --> 0:08:49.420000 IP address, because if I'm sending an ARP request, for example, let's 0:08:49.420000 --> 0:08:52.760000 say I know that my default gateway is 1.1.1.1. 0:08:52.760000 --> 0:08:55.720000 But when I send an ARP request to that, that's what I'm going to put in 0:08:55.720000 --> 0:08:58.540000 the target address field, 1111. 0:08:58.540000 --> 0:09:02.700000 Similarly, when the default gateway is responding back to me, let's say 0:09:02.700000 --> 0:09:04.940000 my IP address is 1119. 0:09:04.940000 --> 0:09:11.240000 Well, now, he will put, let's see here, target MAC, sender's IP address. 0:09:11.240000 --> 0:09:14.480000 Nope, he'll still put 111 because that was the original target IP address 0:09:14.480000 --> 0:09:21.380000 in there. But the point is, is that if we looked in there, we saw something 0:09:21.380000 --> 0:09:23.780000 that was not a legitimate IP address. 0:09:23.780000 --> 0:09:29.080000 For example, if we saw this, 000, 000, that should never be in the target 0:09:29.080000 --> 0:09:32.320000 IP address. There should always be some kind of IP address in there. 0:09:32.320000 --> 0:09:39.500000 If we saw this, the broadcast address, that would be illegal. 0:09:39.500000 --> 0:09:45.420000 Or if we saw any kind of a multicast address in there, none of those should 0:09:45.420000 --> 0:09:48.500000 ever show up in the target IP address field. 0:09:48.500000 --> 0:09:52.580000 And so if we add IP right here, it'll validate that none of those are 0:09:52.580000 --> 0:10:02.540000 there. If it sees any of that, then we'll see it. 0:10:02.540000 --> 0:10:08.640000 Now dynamic ARP inspection can also be used to prevent ARP denial of service 0:10:08.640000 --> 0:10:12.320000 attacks, the type of attack where somebody just pounds a device was like 0:10:12.320000 --> 0:10:16.520000 thousands of ARP requests every single second, or thousands of ARP replies 0:10:16.520000 --> 0:10:17.940000 every single second. 0:10:17.940000 --> 0:10:21.820000 So we can see by default, when you enable dynamic ARP inspection802 rate 0:10:21.820000 --> 0:10:27.040000 limits, ARP requests and replies to 15 packets per second. 0:10:27.040000 --> 0:10:30.540000 Here's the command where you can raise or lower that depending on what 0:10:30.540000 --> 0:10:39.400000 your needs are. So as an example of this, if we had something like this 0:10:39.400000 --> 0:10:51.860000 where I had a switch, and let's say he was connected to another switch, 0:10:51.860000 --> 0:10:58.040000 and he here was connected to a router, and let's say that between these 0:10:58.040000 --> 0:11:03.740000 two guys right here, we had dynamic ARP inspection enabled on the bottom 0:11:03.740000 --> 0:11:07.260000 of the switch on the right. 0:11:07.260000 --> 0:11:12.340000 Well, between these, well, let's just take a look at the switch on the 0:11:12.340000 --> 0:11:17.440000 left. If the switch on the left is a monstrous like Nexus switch or something 0:11:17.440000 --> 0:11:24.080000 like that, we could literally have 300 plus clients connected to that 0:11:24.080000 --> 0:11:32.020000 switch. So theoretically, if a whole bunch of those people come online 0:11:32.020000 --> 0:11:37.520000 at basically the same time, we could end up seeing more than 15 packets 0:11:37.520000 --> 0:11:43.100000 per second of ARP requests as they all try to ARP for their default gateway. 0:11:43.100000 --> 0:11:46.960000 So in a situation like this, you might want to raise it to something more 0:11:46.960000 --> 0:11:52.600000 than 15 packets per second to account for topology like that. 0:11:52.600000 --> 0:11:59.260000 And as you can see here, it says trusted interfaces are not rate limited 0:11:59.260000 --> 0:12:02.180000 in the inbound direction. 0:12:02.180000 --> 0:12:06.800000 So how do we validate the dynamic ARP inspections working? 0:12:06.800000 --> 0:12:08.580000 Well, there's two basic commands. 0:12:08.580000 --> 0:12:12.840000 First command here is show IP ARP inspection, and you can see it has been 0:12:12.840000 --> 0:12:19.100000 enabled for VLAN 18 in this case, and also gives us some statistics about 0:12:19.100000 --> 0:12:23.100000 how many forwarded and dropped ARP packets have gone across this VLAN. 0:12:23.100000 --> 0:12:28.420000 And you could also do show IP ARP inspection interfaces and check on a 0:12:28.420000 --> 0:12:31.240000 particular interface of interest. 0:12:31.240000 --> 0:12:34.100000 And it'll show you number one, if it's been enabled on the interface, 0:12:34.100000 --> 0:12:37.000000 if it hasn't, it won't even show up here. 0:12:37.000000 --> 0:12:39.340000 And if it has been enabled on the interface, you'll be able to see like 0:12:39.340000 --> 0:12:43.340000 you can see whether it's a trusted or an untrusted port, what the rate 0:12:43.340000 --> 0:12:47.820000 is in packets per second, you can see there by default, it's 15. 0:12:47.820000 --> 0:12:51.120000 And this is a good command to also validate ARP inspection on specific 0:12:51.120000 --> 0:12:56.400000 interfaces. So that's it for this video on how to configure and validate 0:12:56.400000 --> 0:12:58.720000 dynamic ARP inspection. 0:12:58.720000 --> 0:12:59.420000 Thank you for watching.