Administrator Guide
10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Gi 0/1
10.1.1.253 00:00:4d:57:f8:e8 172740 D Vl 10 Gi 0/3
10.1.1.254 00:00:4d:69:e8:f2 172740 D Vl 10 Te 0/50
Total number of Entries in the table : 4
Dynamic ARP Inspection
Dynamic address resolution protocol (ARP) inspection prevents ARP spoong by forwarding only ARP frames that have been
validated against the DHCP binding table.
ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any
device. ARP replies are accepted even when no request was sent. If a client receives an ARP message for which a relevant entry
already exists in its ARP cache, it overwrites the existing entry with the new information.
The lack of authentication in ARP makes it vulnerable to spoong. ARP spoong is a technique attackers use to inject false IP-to-
MAC mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and denial-of-service (DoS)
attacks, among others.
A spoofed ARP message is one in which the MAC address in the sender hardware address eld and the IP address in the sender
protocol eld are strategically chosen by the attacker. For example, in an MITM attack, the attacker sends a client an ARP message
containing the attacker’s MAC address and the gateway’s IP address. The client then thinks that the attacker is the gateway, and
sends all internet-bound packets to it. Likewise, the attacker sends the gateway an ARP message containing the attacker’s MAC
address and the client’s IP address. The gateway then thinks that the attacker is the client and forwards all packets addressed to the
client to it. As a result, the attacker is able to sni all packets to and from the client.
Other attacks using ARP spoong include:
Broadcast
An attacker can broadcast an ARP reply that species FF:FF:FF:FF:FF:FF as the gateway’s MAC address,
resulting in all clients broadcasting all internet-bound packets.
MAC ooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after
which, trac from the gateway is broadcast.
Denial of service An attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the
gateway address, which would blackhole all internet-bound packets from the client.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM
entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system. However, the
ExaScale default CAM prole allocates only nine entries to the L2SysFlow region for DAI. You can congure 10 to 16 DAI-
enabled VLANs by allocating more CAM space to the L2SysFlow region before enabling DAI.
SystemFlow has 102 entries by default. This region is comprised of two sub-regions: L2Protocol and L2SystemFlow.
L2Protocol has 87 entries; L2SystemFlow has 15 entries. Six L2SystemFlow entries are used by Layer 2 protocols, leaving nine
for DAI. L2Protocol can have a maximum of 100 entries; you must expand this region to capacity before you can increase the
size of L2SystemFlow. This is relevant when you are enabling DAI on VLANs. If, for example, you want to enable DAI on 16
VLANs, you need seven more entries; in this case, recongure the SystemFlow region for 122 entries using the layer-2 eg-
acl value fib value frrp value ing-acl value learn value l2pt value qos value system-
flow 122 command.
The logic is as follows:
L2Protocol has 87 entries by default and must be expanded to its maximum capacity, 100 entries, before L2SystemFlow can be
increased; therefore, 13 more L2Protocol entries are required. L2SystemFlow has 15 entries by default, but only nine are for
DAI; to enable DAI on 16 VLANs, seven more entries are required. 87 L2Protocol + 13 additional L2Protocol + 15 L2SystemFlow
+ 7 additional L2SystemFlow equals 122.
288
Dynamic Host Conguration Protocol (DHCP)