Pages

Thursday, March 3, 2011

Dynamic ARP inspection

ARP inspection checks the arp packet which is sent and received in the network. It checks the MAC address in the ethernet frame header and try to match the MAC address information inside the frame to prevent the attacker responds the arp request of the legitimate host as shown in the figure below




Also, ARP inspection uses the dhcp snooping binding table to see if the IP address and the MAC address of PC which is connected to the port matched the dhcp snooping binding table. If it does not, the switch will not forward the packet out of its interfaces.


Example
In this example, we first enable the dhcp snooping and the arp inspection on the switch. After the dhcp snooping gets the MAC Address and IP address of the PC, we statically change the IP address from 192.168.1.11 to 192.168.12 in order to violate the dhcp snooping binding table. We can see the log below to have better understanding.


Switch#sh ip dhcp snooping binding
MacAddress              IpAddress          Lease(sec)     Type                 VLAN   Interface
------------------       ---------------   ----------      -------------         ----    --------------------
00:14:22:F9:B3:3D    192.168.1.11        86255          dhcp-snooping    10       FastEthernet0/7
Total number of bindings: 1

Switch#



When changing the IP address of the PC to 192.168.1.12 statically, the result is violating the dhcp snooping table. So that the arp inspection is not passed. We can see it in the syslog that DHCP_SNOOPING_DENY. Therefore, the PC cannot connect to the network.


Syslog message


20:35:05: ARP Packet (Fa0/7/10) Src: 0014.22f9.b33d, Dst: ffff.ffff.ffff, SM: 0014.22f9.b33d, SI: 192.168.1.12, TM: 0000.0000.0000, TI: 192.168.1.1
20:35:05: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/7, vlan 10.([0014.22f9.b33d/192.168.1.12/0000.0000.0000/192.168.1.1/20:35:05 UTC Mon Mar 1 1993])





1 comment:

  1. Thank you for sharing. Your blog has given me that thing which I never expect to get from all over the websites. Nice post guys!


    Melbourne SEO Services

    ReplyDelete