Reference Guide
Total number of Entries in the table : 4
Dynamic ARP Inspection
Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have
been validated against the DHCP binding table.
ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and
replies from any device. ARP replies are accepted even when no request was sent. If a client receives an ARP message
for which a relevant entry already exists in its ARP cache, it overwrites the existing entry with the new information.
The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers use to inject
false IP-to-MAC mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and
denial-of-service (DoS) attacks, among others.
A spoofed ARP message is one in which the MAC address in the sender hardware address field and the IP address in
the sender protocol field are strategically chosen by the attacker. For example, in an MITM attack, the attacker sends a
client an ARP message containing the attacker’s MAC address and the gateway’s IP address. The client then thinks that
the attacker is the gateway, and sends all internet-bound packets to it. Likewise, the attacker sends the gateway an ARP
message containing the attacker’s MAC address and the client’s IP address. The gateway then thinks that the attacker
is the client and forwards all packets addressed to the client to it. As a result, the attacker is able to sniff all packets to
and from the client.
Other attacks using ARP spoofing include:
Broadcast An attacker can broadcast an ARP reply that specifies FF:FF:FF:FF:FF:FF as the gateway’s MAC
address, resulting in all clients broadcasting all internet-bound packets.
MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is
exhausted, after which, traffic from the gateway is broadcast.
Denial of service An attacker can send a fraudulent ARP messages to a client to associate a false MAC address
with the gateway address, which would blackhole all internet-bound packets from the client.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One
CAM entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system. However,
the ExaScale default CAM profile allocates only nine entries to the L2SysFlow region for DAI. You can configure 10
to 16 DAI-enabled VLANs by allocating more CAM space to the L2SysFlow region before enabling DAI.
SystemFlow has 102 entries by default. This region is comprised of two sub-regions: L2Protocol and L2SystemFlow.
L2Protocol has 87 entries; L2SystemFlow has 15 entries. Six L2SystemFlow entries are used by Layer 2 protocols,
leaving nine for DAI. L2Protocol can have a maximum of 100 entries; you must expand this region to capacity
before you can increase the size of L2SystemFlow. This is relevant when you are enabling DAI on VLANs. If, for
example, you want to enable DAI on 16 VLANs, you need seven more entries; in this case, reconfigure the
SystemFlow region for 122 entries using the layer-2 eg-acl value fib value frrp value ing-
acl
value learn value l2pt value qos value system-flow 122 command.
The logic is as follows:
L2Protocol has 87 entries by default and must be expanded to its maximum capacity, 100 entries, before
L2SystemFlow can be increased; therefore, 13 more L2Protocol entries are required. L2SystemFlow has 15 entries
by default, but only nine are for DAI; to enable DAI on 16 VLANs, seven more entries are required. 87 L2Protocol +
13 additional L2Protocol + 15 L2SystemFlow + 7 additional L2SystemFlow equals 122.
235