WEBVTT 0:00:03.260000 --> 0:00:06.940000 Hello and welcome to this video in which we're going to go over configuring 0:00:06.940000 --> 0:00:11.540000 dynamic ARP inspection and monitoring it in Cisco iOS. 0:00:11.540000 --> 0:00:16.280000 So that is our goal here. 0:00:16.280000 --> 0:00:18.240000 Let's go ahead and check in with this. 0:00:18.240000 --> 0:00:21.460000 So with dynamic ARP inspection, there's only two commands you need to 0:00:21.460000 --> 0:00:25.720000 do. Number one, you need to enable it globally on the VLAN or VLANs that 0:00:25.720000 --> 0:00:29.880000 you wish. And remember that will make all the ports in that VLAN untrusted 0:00:29.880000 --> 0:00:34.740000 from the perspective of ARP requests and ARP replies. 0:00:34.740000 --> 0:00:37.920000 So every ARP request and reply coming in a port in that VLAN will have 0:00:37.920000 --> 0:00:42.460000 to be paused and inspected against the DHCP snooping binding database. 0:00:42.460000 --> 0:00:46.280000 Secondly, if you have devices connected to your switch to have static 0:00:46.280000 --> 0:00:49.920000 IP addresses like your routers, your servers, you probably want to go 0:00:49.920000 --> 0:00:55.420000 to their interfaces and make them as trusted interfaces. 0:00:55.420000 --> 0:01:01.480000 Okay, I gave an example in the previous video about a situation where 0:01:01.480000 --> 0:01:06.820000 a single physical interface could lead to some devices with static IP 0:01:06.820000 --> 0:01:12.280000 addresses and some devices that are either unknown or have DHCP, but either 0:01:12.280000 --> 0:01:18.160000 way, where there would be a risk of making that interface, trusted interface. 0:01:18.160000 --> 0:01:21.940000 And I said, in that particular scenario, you'd want to use an ARP access 0:01:21.940000 --> 0:01:25.000000 list. And that's what I want to talk about right here. 0:01:25.000000 --> 0:01:29.940000 So here we say we ARP access dash list and you give it a descriptive name. 0:01:29.940000 --> 0:01:33.640000 And you can say, permit IP host, you give the IP address of the device 0:01:33.640000 --> 0:01:38.680000 with a static IP address, Mac host, you give the Mac address of that, 0:01:38.680000 --> 0:01:40.760000 the NIC card on that device. 0:01:40.760000 --> 0:01:46.220000 And then the last step is we want to associate this ARP access list with 0:01:46.220000 --> 0:01:48.480000 dynamic ARP inspection. 0:01:48.480000 --> 0:01:54.920000 So here in applying it, we would say IP ARP inspection filter and then 0:01:54.920000 --> 0:01:58.980000 give it the name of the ARP access list and apply it to a particular VLAN. 0:01:58.980000 --> 0:02:02.060000 Now, notice that at the end here, there's this keyword of static. 0:02:02.060000 --> 0:02:03.080000 What does that do? 0:02:03.080000 --> 0:02:06.180000 All right, you're probably not going to want to use the keyword of static. 0:02:06.180000 --> 0:02:08.580000 So you probably want to leave that off. 0:02:08.580000 --> 0:02:14.640000 So if you don't include that keyword, what that will mean is that now, 0:02:14.640000 --> 0:02:25.800000 what an ARP request or an ARP reply is received on an untrusted interface. 0:02:25.800000 --> 0:02:29.960000 The first thing that will happen is we'll see if we can validate that 0:02:29.960000 --> 0:02:33.140000 request or reply against your ARP access list. 0:02:33.140000 --> 0:02:36.620000 We'll see, is there a permit entry or maybe a deny entry if you're denying 0:02:36.620000 --> 0:02:39.940000 something? If there's a permit entry, we're done. 0:02:39.940000 --> 0:02:42.480000 We can go ahead and allow it on through. 0:02:42.480000 --> 0:02:49.160000 If there's no entry in here, then we will fall back to the DHCP snooping 0:02:49.160000 --> 0:02:50.200000 binding database. 0:02:50.200000 --> 0:02:54.960000 And we'll try to validate the ARP request or reply there before we decide 0:02:54.960000 --> 0:02:56.720000 to drop or forward it. 0:02:56.720000 --> 0:03:01.900000 Now, in the event that you decide, hey, you know what? 0:03:01.900000 --> 0:03:06.860000 I like this ARP, you know, dynamic ARP inspection thing, but I really 0:03:06.860000 --> 0:03:09.680000 don't have a use for DHCP snooping. 0:03:09.680000 --> 0:03:15.400000 You know, maybe everything on my switch has got static IP addresses. 0:03:15.400000 --> 0:03:19.180000 So I'm not going to have a DHCP snooping binding database because I'm 0:03:19.180000 --> 0:03:21.480000 not using DHCP snooping. 0:03:21.480000 --> 0:03:25.400000 That would be a use case where you'd probably want to use the static keyword 0:03:25.400000 --> 0:03:30.700000 here. Static is telling dynamic ARP inspection, hey, the only way you 0:03:30.700000 --> 0:03:35.000000 can validate ARP requests and replies is with the ARP access list. 0:03:35.000000 --> 0:03:38.140000 If you don't find a permit statement here, you're done. 0:03:38.140000 --> 0:03:40.020000 There's nothing to fall back on. 0:03:40.020000 --> 0:03:44.440000 So that's what the presence of the static keyword is in your IP ARP inspection 0:03:44.440000 --> 0:03:48.940000 filter command. And this is a quick review. 0:03:48.940000 --> 0:03:53.340000 Just wanted to point out that in dynamic ARP inspection, the normal things 0:03:53.340000 --> 0:04:00.320000 that are checked are the sender's MAC address, the sender's IP address, 0:04:00.320000 --> 0:04:02.900000 and the VLAN of the incoming interface. 0:04:02.900000 --> 0:04:06.780000 That's what we check against the DHCP snooping binding database. 0:04:06.780000 --> 0:04:11.240000 Alternatively, if you want to check more things, you could also have IP 0:04:11.240000 --> 0:04:15.500000 ARP inspection validate the source MAC address of the actual Ethernet 0:04:15.500000 --> 0:04:23.120000 header itself. Because keep in mind this, in a normal situation, if I'm 0:04:23.120000 --> 0:04:30.360000 sending an ARP request, or if I'm sending an ARP reply, either one, if 0:04:30.360000 --> 0:04:34.640000 that frame is being sourced from my laptop, well, my MAC address will 0:04:34.640000 --> 0:04:39.260000 be right here, and my MAC address should also be right here. 0:04:39.260000 --> 0:04:44.000000 If these MAC addresses are different, that's usually an indication of 0:04:44.000000 --> 0:04:45.780000 someone who's trying to spoof something. 0:04:45.780000 --> 0:04:53.320000 Someone who's trying to do something kind of a little bit threatening. 0:04:53.320000 --> 0:04:57.800000 So this might be a good reason why you might want to check both MAC addresses 0:04:57.800000 --> 0:04:59.980000 to make sure that they're the same. 0:04:59.980000 --> 0:05:01.320000 And that's where you could do this right here. 0:05:01.320000 --> 0:05:06.580000 You could also check destination MAC, and you could also check IP, which 0:05:06.580000 --> 0:05:08.540000 would be the target IP address. 0:05:08.540000 --> 0:05:16.500000 That is also checkable. 0:05:16.500000 --> 0:05:20.560000 Another thing that dynamic ARP inspection can do is rate limiting. 0:05:20.560000 --> 0:05:24.540000 A very common form of a network attack is an ARP attack where someone 0:05:24.540000 --> 0:05:30.640000 will say, hey, I know that if I send an ARP request to your device, it's 0:05:30.640000 --> 0:05:32.340000 going to interrupt your CPU. 0:05:32.340000 --> 0:05:36.460000 Whether your device is a router or a server or even a PC, when you get 0:05:36.460000 --> 0:05:39.940000 an ARP request, your CPU has to stop what it's doing for a few milliseconds 0:05:39.940000 --> 0:05:42.440000 to process that ARP request. 0:05:42.440000 --> 0:05:47.000000 So what better way to kill your device than for me to just send thousands 0:05:47.000000 --> 0:05:50.640000 of ARP requests every second to your device? 0:05:50.640000 --> 0:05:54.720000 Your CPU will be so overwhelmed trying to handle all that, it'll probably 0:05:54.720000 --> 0:05:58.780000 crash and die. Well, with ARP inspection, we can limit that. 0:05:58.780000 --> 0:06:01.800000 And you can see by default, it's limited to 15 packets per second, but 0:06:01.800000 --> 0:06:05.900000 you can raise or lower that with this interface command right here. 0:06:05.900000 --> 0:06:09.900000 And notice that's only really applied on untrusted interfaces. 0:06:09.900000 --> 0:06:13.720000 It does not really affect trusted interfaces. 0:06:13.720000 --> 0:06:21.200000 So this is our primary verification command show IP ARP inspection. 0:06:21.200000 --> 0:06:24.580000 We can validate that in this particular case, it has been enabled on VLAN 0:06:24.580000 --> 0:06:26.580000 18, it is active. 0:06:26.580000 --> 0:06:28.780000 And at the moment, nothing's really happened. 0:06:28.780000 --> 0:06:32.620000 We don't have any forwarded or dropped packets. 0:06:32.620000 --> 0:06:36.980000 We can also do show IP ARP inspection and then specify a particular interface 0:06:36.980000 --> 0:06:39.780000 to confirm the trust state of that interface. 0:06:39.780000 --> 0:06:41.780000 Is it trusted or is it untrusted? 0:06:41.780000 --> 0:06:49.720000 And what is the rate of packets per second that are allowed in this interface? 0:06:49.720000 --> 0:06:57.300000 So that concludes this review of dynamic ARP inspection.