Administrator Guide
Dynamic ARP Inspection
Dynamic address resolution protocol (ARP) inspection prevents ARP spoofing by forwarding only ARP frames that have been validated
against the DHCP binding table.
ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any
device. ARP replies are accepted even when no request was sent. If a client receives an ARP message for which a relevant entry already
exists in its ARP cache, it overwrites the existing entry with the new information.
The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers use to inject false IP-to-MAC
mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and denial-of-service (DoS) attacks,
among others.
A spoofed ARP message is one in which the MAC address in the sender hardware address field and the IP address in the sender protocol
field are strategically chosen by the attacker. For example, in an MITM attack, the attacker sends a client an ARP message containing the
attacker’s MAC address and the gateway’s IP address. The client then thinks that the attacker is the gateway, and sends all internet-
bound packets to it. Likewise, the attacker sends the gateway an ARP message containing the attacker’s MAC address and the client’s IP
address. The gateway then thinks that the attacker is the client and forwards all packets addressed to the client to it. As a result, the
attacker is able to sniff all packets to and from the client.
Other attacks using ARP spoofing include:
Broadcast An attacker can broadcast an ARP reply that specifies FF:FF:FF:FF:FF:FF as the gateway’s MAC address,
resulting in all clients broadcasting all internet-bound packets.
MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after which,
traffic from the gateway is broadcast.
Denial of service An attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the gateway
address, which would blackhole all internet-bound packets from the client.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM
entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system.
Configuring Dynamic ARP Inspection
To enable dynamic ARP inspection, use the following commands.
1. Enable DHCP snooping.
2. Validate ARP frames against the DHCP snooping binding table.
INTERFACE VLAN mode
arp inspection
To view entries in the ARP database, use the show arp inspection database command.
DellEMC#show arp inspection database
Protocol Address Age(min) Hardware Address Interface VLAN CPU
---------------------------------------------------------------------
Internet 10.1.1.251 - 00:00:4d:57:f2:50 Gi 1/2 Vl 10 CP
Internet 10.1.1.252 - 00:00:4d:57:e6:f6 Gi 1/1 Vl 10 CP
Internet 10.1.1.253 - 00:00:4d:57:f8:e8 Gi 1/3 Vl 10 CP
Internet 10.1.1.254 - 00:00:4d:69:e8:f2 Gi 1/5 Vl 10 CP
DellEMC#
To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics command.
DellEMC#show arp inspection statistics
Dynamic ARP Inspection (DAI) Statistics
---------------------------------------
Valid ARP Requests : 0
Valid ARP Replies : 1000
Invalid ARP Requests : 1000
Invalid ARP Replies : 0
DellEMC#
250
Dynamic Host Configuration Protocol (DHCP)