Arp Security - Learning Module

Loading content...

0/240

Dynamic ARP Inspection: Enterprise-Grade ARP Security

The Definitive Defense Against ARP Attacks

Dynamic ARP Inspection (DAI) represents the gold standard for enterprise ARP security. Unlike static measures that require manual configuration of every IP-to-MAC binding, DAI automatically validates ARP packets against a trusted binding database built by DHCP Snooping.

DAI provides several critical capabilities:

Automatic Protection — No manual binding configuration for DHCP clients
Real-Time Validation — Every ARP packet inspected before forwarding
Flexible Trust Model — Trusted ports bypass inspection, untrusted ports are validated
Rate Limiting — Prevents ARP-based denial of service attacks
Comprehensive Logging — Full visibility into ARP activity and violations

When properly deployed, DAI makes ARP spoofing attacks effectively impossible on protected VLANs while maintaining network performance and minimizing operational overhead.

Learning Objectives

By mastering this page, you will understand: (1) DAI architecture and relationship to DHCP Snooping, (2) configuration for Cisco and other enterprise switches, (3) ARP Access Control Lists for static IP hosts, (4) rate limiting and DoS protection, (5) logging and monitoring, and (6) troubleshooting common deployment issues.

Deployment Prerequisite

DAI requires DHCP Snooping to be enabled and operational. Without the DHCP Snooping binding table, DAI has no source of legitimate IP-to-MAC mappings. Enable and verify DHCP Snooping before configuring DAI. For static IP hosts, you must configure ARP ACLs or manually add binding entries.

DAI Architecture

DAI integrates with DHCP Snooping to create a comprehensive Layer 2 security architecture. Understanding this architecture is essential for proper deployment.

Component Relationships:

DHCP Snooping builds the binding database
DAI uses this database to validate ARP packets
Port Security (optional) limits MAC addresses per port
IP Source Guard (optional) extends protection to IP packets

Data Flow Through DAI:

Converting Mermaid diagram...

DAI Validation Process (Step by Step):

Step 1: Port Classification

ARP packet arrives on switch port
Switch checks if port is trusted or untrusted
Trusted ports: ARP packets forwarded without inspection
Untrusted ports: proceed to validation

Step 2: Rate Limit Check

Before validation, rate limit is checked
Default: 15 ARP packets per second on untrusted ports
If exceeded: port error-disabled, packet dropped
If within limit: proceed to binding check

Step 3: DHCP Snooping Binding Check

Extract Source MAC and Source IP from ARP packet
Query DHCP Snooping binding table
If match found: packet is legitimate, forward
If no match: check ARP ACLs

Step 4: ARP ACL Check

For packets not matching DHCP bindings
Check against manually configured ARP ACLs
Used for static IP hosts not in binding table
If match found: forward
If no match: drop and log violation

Step 5: Logging and Statistics

All violations logged (configurable verbosity)
Statistics maintained for monitoring
Optional SNMP traps for real-time alerting

DAI Validation Checks
Check	What's Validated	Failure Action
Source MAC Binding	Sender MAC matches binding for Sender IP	Drop packet
Destination MAC (optional)	Target MAC matches binding for Target IP	Drop packet
IP Address (optional)	Valid IP addresses (not 0.0.0.0, etc.)	Drop packet
Rate Limit	ARP rate within configured limit	Error-disable port

Optional Validation Checks

By default, DAI only validates the source MAC-to-IP binding. Additional checks (destination MAC, IP address validation) can be enabled for stricter validation but may cause issues in some network configurations. Enable additional checks only after testing in your environment.

DAI Configuration

Configuring DAI requires careful planning to avoid network disruption. Follow these steps for safe deployment.

Pre-Configuration Checklist:

✓ DHCP Snooping enabled and binding table populated
✓ Static IP hosts identified and ARP ACLs prepared
✓ Trusted ports identified (uplinks, DHCP server, routers)
✓ Change window scheduled for potential issues
✓ Rollback plan documented

Configuration Sequence:

dai_configuration.ios

! ================================================
! Complete DAI Configuration Example (Cisco IOS)
! ================================================
 
! Prerequisites: Verify DHCP Snooping is enabled and working
show ip dhcp snooping
show ip dhcp snooping binding
 
! ================================================
! Step 1: Enable DAI on VLANs
! ================================================
 
! Enable DAI for specific VLANs
ip arp inspection vlan 10,20,30
 
! Enable for VLAN range
ip arp inspection vlan 10-100
 
! ================================================
! Step 2: Configure Trusted Ports
! ================================================
 
! Uplinks to other switches/routers should be trusted
interface GigabitEthernet0/1
  description Uplink to Core Switch
  ip arp inspection trust
 
interface GigabitEthernet0/2
  description Uplink to Router
  ip arp inspection trust
 
! DHCP server connection should be trusted
interface GigabitEthernet0/3
  description DHCP Server
  ip arp inspection trust
 
! ================================================
! Step 3: Configure Rate Limiting (Important!)
! ================================================
 
! Set reasonable rate limits on untrusted ports
! Default is 15 pps - may need adjustment
 
! Set rate limit on specific interface
interface GigabitEthernet0/10
  description User Access Port
  ip arp inspection limit rate 20
 
! Set for range of interfaces
interface range GigabitEthernet0/10 - 48
  ip arp inspection limit rate 25
 
! Set burst interval (optional)
interface GigabitEthernet0/10
  ip arp inspection limit rate 30 burst interval 2
 
! ================================================
! Step 4: Configure Additional Validation (Optional)
! ================================================
 
! Enable additional validation checks
! These are optional but increase security
 
! Validate Source MAC in Ethernet header matches ARP body
ip arp inspection validate src-mac
 
! Validate Destination MAC in Ethernet header matches ARP body
ip arp inspection validate dst-mac
 
! Validate IP address fields
ip arp inspection validate ip
 
! Enable all validations at once
ip arp inspection validate src-mac dst-mac ip
 
! ================================================
! Step 5: Configure Logging
! ================================================
 
! Default: Log all dropped packets
! Can configure log buffer and rate
 
! Set log buffer entries
ip arp inspection log-buffer entries 1024
 
! Set logging rate
ip arp inspection log-buffer logs 10 interval 5
 
! Enable VLAN-level logging
ip arp inspection vlan 10 logging acl-match none
ip arp inspection vlan 10 logging dhcp-bindings permit
 
! ================================================
! Step 6: Error Recovery Configuration
! ================================================
 
! Enable automatic recovery from error-disabled state
errdisable recovery cause arp-inspection
errdisable recovery interval 300  ! 5 minutes
 
! ================================================
! Verification Commands
! ================================================
 
! Verify DAI status
show ip arp inspection
 
! Verify per-VLAN status
show ip arp inspection vlan 10
 
! View DAI statistics
show ip arp inspection statistics
 
! View interfaces
show ip arp inspection interfaces
 
! View log buffer
show ip arp inspection log
 
! ================================================
! Example DAI Status Output
! ================================================
! Source MAC Validation      : Enabled
! Destination MAC Validation : Enabled  
! IP Address Validation      : Enabled
!
! Vlan     Configuration    Operation   ACL Match          Static ACL
! ----     -------------    ---------   ---------          ----------
!   10     Enabled          Active      None               None
!   20     Enabled          Active      None               None
 
! ================================================
! Troubleshooting: View dropping stats
! ================================================
show ip arp inspection statistics vlan 10
 
! Look for:
! - Forwarded, Dropped, DHCP Drops, ACL Drops
! - High drop counts may indicate attack OR misconfiguration

Rate Limit Tuning Critical

The default rate limit of 15 pps is appropriate for typical workstations but may be too low for servers or virtualized environments with many VMs. Monitor for error-disabled ports after deployment and adjust rate limits accordingly. Too high allows DoS attacks; too low causes legitimate traffic interruption.

ARP Access Control Lists (ARP ACLs)

Hosts with static IP addresses don't appear in the DHCP Snooping binding table, so DAI would block their ARP packets by default. ARP Access Control Lists provide a way to explicitly permit these hosts.

When ARP ACLs Are Needed:

Servers with static IP addresses
Network infrastructure devices
Printers and other devices not using DHCP
Any device with manually configured IP

ARP ACL Processing:

DAI checks DHCP Snooping binding table first
If no match, DAI checks ARP ACLs
ARP ACL can permit or deny based on IP-to-MAC mapping
If neither matches, packet is dropped

arp_acl_config.ios

Cisco IOS

! ================================================
! ARP Access Control List Configuration
! ================================================
 
! Create ARP ACL for static IP hosts
arp access-list STATIC-SERVERS
  ! Format: permit ip host <ip> mac host <mac>
  
  ! Web Server
  permit ip host 192.168.10.10 mac host 0000.1111.2222
  
  ! Database Server
  permit ip host 192.168.10.11 mac host 0000.1111.3333
  
  ! File Server
  permit ip host 192.168.10.12 mac host 0000.1111.4444
  
  ! Print Server
  permit ip host 192.168.10.20 mac host 0000.2222.1111
  
  ! Domain Controller
  permit ip host 192.168.10.5 mac host 0000.3333.1111
  
  ! DNS Server
  permit ip host 192.168.10.2 mac host 0000.3333.2222
  
  ! Gateway (if needed)
  permit ip host 192.168.10.1 mac host 0000.4444.1111
 
! Apply ARP ACL to VLAN
! Note: static keyword determines behavior if no match
ip arp inspection filter STATIC-SERVERS vlan 10
 
! With 'static' keyword: Only ARP ACL is checked (DHCP bindings ignored)
ip arp inspection filter STATIC-SERVERS vlan 10 static
 
! Without 'static': ACL checked first, then DHCP bindings
! This is useful when you have both static and DHCP hosts
 
! ================================================
! Multiple VLANs with Different ACLs
! ================================================
 
arp access-list SERVER-VLAN-HOSTS
  permit ip host 10.10.10.10 mac host aaaa.bbbb.cccc
  permit ip host 10.10.10.11 mac host aaaa.bbbb.dddd
 
arp access-list MANAGEMENT-HOSTS
  permit ip host 10.20.20.1 mac host cccc.dddd.eeee
  permit ip host 10.20.20.2 mac host cccc.dddd.ffff
 
ip arp inspection filter SERVER-VLAN-HOSTS vlan 100
ip arp inspection filter MANAGEMENT-HOSTS vlan 200
 
! ================================================
! Using IP and MAC Ranges (Advanced)
! ================================================
 
arp access-list PRINTER-RANGE
  ! Permit a range of printer IPs with corresponding MACs
  permit ip host 192.168.10.30 mac host 0011.2233.4401
  permit ip host 192.168.10.31 mac host 0011.2233.4402
  permit ip host 192.168.10.32 mac host 0011.2233.4403
  ! For true range, need individual entries
 
! ================================================
! Verification
! ================================================
 
! Show configured ARP ACLs
show arp access-list
 
! Show which ACLs are applied to which VLANs
show ip arp inspection
 
! Detailed per-VLAN
show ip arp inspection vlan 10
 
! ================================================
! Common Mistake: Forgetting DHCP Hosts
! ================================================
 
! If you use 'static' keyword, DHCP clients won't work!
! Only use 'static' on VLANs where ALL hosts are static.
 
! Bad (DHCP clients will be blocked):
ip arp inspection filter SERVERS vlan 10 static
 
! Good (both ACL and DHCP bindings checked):
ip arp inspection filter SERVERS vlan 10
 
! ================================================
! Maintaining ARP ACLs at Scale
! ================================================
 
! For large deployments, generate ACLs from CMDB/IPAM
! Example: Script to generate Cisco config from CSV
 
! Input CSV: ip,mac,description
! 192.168.10.10,0000.1111.2222,Web Server
! 192.168.10.11,0000.1111.3333,Database Server
 
! Generated config would be:
! arp access-list STATIC-SERVERS
!   permit ip host 192.168.10.10 mac host 0000.1111.2222
!   permit ip host 192.168.10.11 mac host 0000.1111.3333

ARP ACL Best Practices

•Document all static IP assignments
•Verify MAC addresses before adding
•Use descriptive ACL names
•Audit ACLs periodically
•Automate from IPAM database

Common ARP ACL Mistakes

•Typos in MAC addresses
•Using 'static' with DHCP hosts
•Forgetting to update after NIC replacement
•Wrong VLAN assignment
•Missing entries for new servers

Automation Recommendation

For environments with many static IP hosts, manually maintaining ARP ACLs is error-prone. Integrate with your IP Address Management (IPAM) system to automatically generate ARP ACL configurations. When a server is provisioned with a static IP, the ACL entry should be generated automatically.

Rate Limiting and DoS Protection

DAI's rate limiting feature prevents ARP-based denial of service attacks. An attacker flooding ARP packets could overwhelm the switch's CPU (which must inspect each packet) or the network itself. Rate limiting bounds the impact.

Rate Limiting Mechanics:

Configured per-interface on untrusted ports
Measured in ARP packets per second
Exceeding the limit error-disables the port
Protects switch CPU and network

Default Values and Recommendations:

DAI Rate Limit Recommendations
Environment	Recommended Limit	Burst Interval	Rationale
User workstation	15-25 pps	1 second	Normal user generates few ARPs
Power user/Developer	30-50 pps	1 second	More active network usage
Server (non-virtualized)	50-100 pps	1 second	Multiple services may generate ARPs
Virtualized host	100-500 pps	1 second	Many VMs sharing single physical port
Network infrastructure	Trust port	N/A	Don't rate limit trusted ports

rate_limit_config.ios

Cisco IOS

! ================================================
! DAI Rate Limiting Configuration
! ================================================
 
! Basic rate limit (packets per second)
interface GigabitEthernet0/10
  ip arp inspection limit rate 20
 
! Rate limit with burst (higher temporary rate allowed)
interface GigabitEthernet0/11
  ip arp inspection limit rate 20 burst interval 3
  ! Allows 60 packets over 3 seconds (average 20 pps)
 
! No rate limit (effectively unlimited - use with caution)
interface GigabitEthernet0/12
  ip arp inspection limit rate none
  ! WARNING: Only use for known high-ARP hosts
 
! ================================================
! Rate Limits for Different Port Types
! ================================================
 
! Standard user ports
interface range GigabitEthernet0/1 - 24
  ip arp inspection limit rate 25
 
! Server ports (non-virtualized)
interface range GigabitEthernet0/25 - 36
  ip arp inspection limit rate 100
 
! Virtualization host ports (many VMs)
interface range GigabitEthernet0/37 - 48
  ip arp inspection limit rate 500 burst interval 1
 
! ================================================
! Error Recovery Configuration
! ================================================
 
! Enable automatic recovery from rate limit violations
errdisable recovery cause arp-inspection
errdisable recovery interval 300  ! 300 seconds = 5 minutes
 
! Show error-disabled status
show interfaces status err-disabled
 
! Manual recovery
interface GigabitEthernet0/10
  shutdown
  no shutdown
 
! ================================================
! Monitoring Rate Limit Violations
! ================================================
 
! View DAI statistics including rate violations
show ip arp inspection statistics
 
! Example output:
! Vlan   Forwarded    Dropped   DHCP Drops   ACL Drops   Rate Limit
! ----   ----------   -------   ----------   ---------   ----------
!   10         1523        15            0          15            0
!   20          847         0            0           0            0
 
! Non-zero "Rate Limit" indicates violations
 
! ================================================
! Tuning Approach
! ================================================
! 
! 1. Start with conservative limits (15-20 pps)
! 2. Monitor for err-disabled ports
! 3. Check legitimate ARP rates:
!    show ip arp inspection interfaces
! 4. Increase limits for ports with violations
! 5. Document exceptions and justification

VoIP Phones May Generate High ARP

VoIP phones connecting through switches to PCs may generate more ARP traffic than expected. If using inline power and phone data ports, ensure rate limits account for both the phone and the connected PC. Monitor VoIP deployments closely after DAI enablement.

Understanding Burst Intervals:

The burst interval allows temporary spikes above the rate limit:

ip arp inspection limit rate 20 burst interval 3

Rate: 20 packets per second
Burst interval: 3 seconds
Effective limit: 60 packets over 3 seconds
Behavior: Port can send 60 packets in the first second if needed, but must average ≤20 pps over 3 seconds

When to Use Burst:

Boot storms (devices starting up need many ARPs quickly)
VLAN changes (moving to new network triggers ARP)
Network re-convergence after outage

Logging and Monitoring

Effective DAI deployment requires comprehensive logging and monitoring. Logs help identify attacks, troubleshoot issues, and verify protection is working.

DAI Log Information:

DAI logs the following information for dropped packets:

Source MAC and IP from ARP packet
Destination MAC and IP from ARP packet
Interface where packet was received
VLAN
Reason for drop (binding mismatch, ACL deny, rate limit)

Logging Configuration:

dai_logging.ios

Cisco IOS

! ================================================
! DAI Logging Configuration
! ================================================
 
! Configure log buffer size (number of entries)
ip arp inspection log-buffer entries 1024
 
! Configure logging rate (entries per interval)
ip arp inspection log-buffer logs 10 interval 60
! Generates max 10 log entries per 60 seconds
 
! ================================================
! Per-VLAN Logging Options
! ================================================
 
! Log packets dropped due to ACL
ip arp inspection vlan 10 logging acl-match
! Options: matchlog, none
 
! Log packets matching DHCP bindings (permits)
ip arp inspection vlan 10 logging dhcp-bindings permit
 
! ================================================
! View DAI Logs
! ================================================
 
! Show log buffer
show ip arp inspection log
 
! Example output:
! Total Log Buffer Size : 1024
! 
! Syslog rate : 10 entries per 60 seconds.
! 
! Interface         Vlan   Sender MAC        Sender IP       Target MAC       Target IP
! ---------         ----   ------------      ----------      ------------     ---------  
! Gi0/10             10    0000.1111.2222    192.168.10.99   0000.0000.0000   192.168.10.1
!   Dropped by ARP ACL: STATIC-SERVERS
!   00:15:32 UTC Jan 15 2024
! 
! Gi0/15             10    0000.aaaa.bbbb    192.168.10.50   0000.0000.0000   192.168.10.1
!   Dropped by DHCP Snooping binding
!   00:16:45 UTC Jan 15 2024
 
! ================================================
! Syslog Integration
! ================================================
 
! DAI generates syslog messages automatically
! Configure syslog server
logging host 10.10.10.100
logging trap informational
 
! Example syslog messages:
! %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi0/10, 
!   vlan 10.([0000.1111.2222/192.168.10.99/0000.0000.0000/192.168.10.1])
 
! ================================================
! SNMP Notifications
! ================================================
 
! Enable SNMP traps for DAI
snmp-server enable traps arp-inspection
 
! Configure SNMP server
snmp-server host 10.10.10.101 version 2c public
 
! ================================================
! Monitoring Script Example (for SIEM)
! ================================================
 
! Parse syslog for this pattern:
! %SW_DAI-4-DHCP_SNOOPING_DENY
! 
! Extract:
! - Interface (Gi0/10)
! - VLAN (10)
! - Source MAC (0000.1111.2222)
! - Source IP (192.168.10.99)
! - Timestamp
!
! Alert if:
! - Same source MAC with multiple source IPs (spoofing)
! - High volume from single port (attack in progress)
! - Critical IPs appearing in drops (misconfiguration)

SIEM Integration for DAI Alerts:

For enterprise environments, integrate DAI logs with your Security Information and Event Management (SIEM) system:

Alert Conditions:

Multiple drops from same source — Likely attack in progress
Drops for gateway IP — Someone attempting gateway impersonation
Drops after hours — Reconnaissance activity
New MAC appearing for known IP — Possible spoofing
Rate limit violations — DoS attempt or misconfigured device

Correlation with Other Events:

Combine DAI drops with failed authentication attempts
Cross-reference with network flow data
Correlate with endpoint detection events

Dashboard Recommendation

Create a real-time dashboard showing DAI statistics across all switches. Key metrics: drops per VLAN, rate limit violations, top dropped source MACs/IPs, and trend over time. This provides instant visibility into both attacks and misconfigurations.

Troubleshooting DAI Issues

DAI deployment often encounters issues. Knowing how to quickly diagnose and resolve problems minimizes network disruption.

Common Issues and Solutions:

Symptom: Host loses network connectivity after DAI enabled

Diagnosis:

! Check if DAI is dropping packets
show ip arp inspection statistics vlan 10

! Look for the host in binding table
show ip dhcp snooping binding | include <IP>

! Check DAI log for drops
show ip arp inspection log

Common Causes:

Static IP host not in ARP ACL

Solution: Add to ARP ACL

arp access-list STATIC-HOSTS
  permit ip host 192.168.10.50 mac host 0000.1234.5678
ip arp inspection filter STATIC-HOSTS vlan 10

DHCP binding not in table
- May occur if DHCP Snooping enabled after host got IP
- Solution: Have host renew DHCP lease
```
! On host: ipconfig /release then /renew
```

Port is error-disabled

show interfaces status err-disabled
! If error-disabled, check if rate limit was exceeded
! Recover:
interface Gi0/10
  shutdown
  no shutdown

Wrong VLAN in ARP ACL filter
- Check ACL is applied to correct VLAN
```
show ip arp inspection
```

dai_troubleshooting.ios

Cisco IOS

! ================================================
! Complete DAI Troubleshooting Command Reference
! ================================================
 
! Overall DAI status
show ip arp inspection
 
! Per-VLAN DAI status
show ip arp inspection vlan 10,20,30
 
! DAI statistics (drops, forwards, etc.)
show ip arp inspection statistics
show ip arp inspection statistics vlan 10
 
! Interface configuration and rate limits
show ip arp inspection interfaces
 
! DAI log buffer (dropped packets)
show ip arp inspection log
 
! DHCP Snooping binding table
show ip dhcp snooping binding
show ip dhcp snooping binding vlan 10
show ip dhcp snooping binding interface Gi0/10
 
! ARP ACL configuration
show arp access-list
 
! Error-disabled ports
show interfaces status err-disabled
 
! Clear DAI statistics
clear ip arp inspection statistics
 
! Clear DAI log
clear ip arp inspection log
 
! Debug DAI (use with caution - CPU intensive)
debug arp inspection
 
! ================================================
! Verification Checklist After Enabling DAI
! ================================================
 
! 1. Verify DAI is active on expected VLANs
show ip arp inspection | include Active
 
! 2. Verify trusted ports are correct
show ip arp inspection interfaces | include Trust
 
! 3. Verify DHCP bindings exist
show ip dhcp snooping binding | count
 
! 4. Verify ARP ACLs are applied
show running-config | include ip arp inspection filter
 
! 5. Check for drops (should be zero initially)
show ip arp inspection statistics | include Dropped
 
! 6. Check for error-disabled ports
show interfaces status err-disabled

Summary: Dynamic ARP Inspection

Dynamic ARP Inspection provides comprehensive, automated protection against ARP spoofing attacks. When properly deployed with DHCP Snooping and ARP ACLs, DAI makes ARP-based attacks effectively impossible on protected VLANs.

Key Implementation Points:

Key Takeaways

•DAI requires DHCP Snooping — Enable and verify DHCP Snooping first. The binding table is DAI's source of truth for DHCP hosts.
•Configure ARP ACLs for static IPs — Hosts not using DHCP won't be in the binding table. Create explicit ACL entries to permit them.
•Tune rate limits for your environment — Default 15 pps is conservative. Virtualized hosts and servers need higher limits.
•Configure error recovery — Enable errdisable recovery to automatically restore ports that hit rate limits.
•Integrate logging with SIEM — DAI logs are security-relevant. Forward to your SIEM for correlation and alerting.
•Test before production deployment — DAI misconfigurations cause outages. Test in lab environment first.

Complete Security Architecture:

For maximum Layer 2 security, deploy all related controls:

Control	Purpose
DHCP Snooping	Block rogue DHCP, build binding table
DAI	Validate ARP against bindings
IP Source Guard	Validate IP packets against bindings
Port Security	Limit MAC addresses per port
802.1X	Authenticate devices before network access
Private VLANs	Isolate hosts within VLANs

This comprehensive approach addresses the full spectrum of Layer 2 attack vectors.

Module Complete

You have completed the ARP Security module. You now understand: (1) ARP spoofing attack mechanics, (2) cache poisoning techniques, (3) MITM attack capabilities, (4) defensive measures including static ARP, VLANs, and port security, and (5) enterprise-grade Dynamic ARP Inspection. This knowledge enables you to protect networks against one of the most fundamental and dangerous Layer 2 attack categories.

Dynamic ARP Inspection: Enterprise-Grade ARP Security

The Definitive Defense Against ARP Attacks

DAI provides several critical capabilities:

Automatic Protection — No manual binding configuration for DHCP clients
Real-Time Validation — Every ARP packet inspected before forwarding
Flexible Trust Model — Trusted ports bypass inspection, untrusted ports are validated
Rate Limiting — Prevents ARP-based denial of service attacks
Comprehensive Logging — Full visibility into ARP activity and violations

When properly deployed, DAI makes ARP spoofing attacks effectively impossible on protected VLANs while maintaining network performance and minimizing operational overhead.

Learning Objectives

Deployment Prerequisite

DAI Architecture

DAI integrates with DHCP Snooping to create a comprehensive Layer 2 security architecture. Understanding this architecture is essential for proper deployment.

Component Relationships:

DHCP Snooping builds the binding database
DAI uses this database to validate ARP packets
Port Security (optional) limits MAC addresses per port
IP Source Guard (optional) extends protection to IP packets

Data Flow Through DAI:

Converting Mermaid diagram...

DAI Validation Process (Step by Step):

Step 1: Port Classification

ARP packet arrives on switch port
Switch checks if port is trusted or untrusted
Trusted ports: ARP packets forwarded without inspection
Untrusted ports: proceed to validation

Step 2: Rate Limit Check

Before validation, rate limit is checked
Default: 15 ARP packets per second on untrusted ports
If exceeded: port error-disabled, packet dropped
If within limit: proceed to binding check

Step 3: DHCP Snooping Binding Check

Extract Source MAC and Source IP from ARP packet
Query DHCP Snooping binding table
If match found: packet is legitimate, forward
If no match: check ARP ACLs

Step 4: ARP ACL Check

For packets not matching DHCP bindings
Check against manually configured ARP ACLs
Used for static IP hosts not in binding table
If match found: forward
If no match: drop and log violation

Step 5: Logging and Statistics

All violations logged (configurable verbosity)
Statistics maintained for monitoring
Optional SNMP traps for real-time alerting

DAI Validation Checks
Check	What's Validated	Failure Action
Source MAC Binding	Sender MAC matches binding for Sender IP	Drop packet
Destination MAC (optional)	Target MAC matches binding for Target IP	Drop packet
IP Address (optional)	Valid IP addresses (not 0.0.0.0, etc.)	Drop packet
Rate Limit	ARP rate within configured limit	Error-disable port

Optional Validation Checks

DAI Configuration

Configuring DAI requires careful planning to avoid network disruption. Follow these steps for safe deployment.

Pre-Configuration Checklist:

✓ DHCP Snooping enabled and binding table populated
✓ Static IP hosts identified and ARP ACLs prepared
✓ Trusted ports identified (uplinks, DHCP server, routers)
✓ Change window scheduled for potential issues
✓ Rollback plan documented

Configuration Sequence:

dai_configuration.ios

! ================================================
! Complete DAI Configuration Example (Cisco IOS)
! ================================================
 
! Prerequisites: Verify DHCP Snooping is enabled and working
show ip dhcp snooping
show ip dhcp snooping binding
 
! ================================================
! Step 1: Enable DAI on VLANs
! ================================================
 
! Enable DAI for specific VLANs
ip arp inspection vlan 10,20,30
 
! Enable for VLAN range
ip arp inspection vlan 10-100
 
! ================================================
! Step 2: Configure Trusted Ports
! ================================================
 
! Uplinks to other switches/routers should be trusted
interface GigabitEthernet0/1
  description Uplink to Core Switch
  ip arp inspection trust
 
interface GigabitEthernet0/2
  description Uplink to Router
  ip arp inspection trust
 
! DHCP server connection should be trusted
interface GigabitEthernet0/3
  description DHCP Server
  ip arp inspection trust
 
! ================================================
! Step 3: Configure Rate Limiting (Important!)
! ================================================
 
! Set reasonable rate limits on untrusted ports
! Default is 15 pps - may need adjustment
 
! Set rate limit on specific interface
interface GigabitEthernet0/10
  description User Access Port
  ip arp inspection limit rate 20
 
! Set for range of interfaces
interface range GigabitEthernet0/10 - 48
  ip arp inspection limit rate 25
 
! Set burst interval (optional)
interface GigabitEthernet0/10
  ip arp inspection limit rate 30 burst interval 2
 
! ================================================
! Step 4: Configure Additional Validation (Optional)
! ================================================
 
! Enable additional validation checks
! These are optional but increase security
 
! Validate Source MAC in Ethernet header matches ARP body
ip arp inspection validate src-mac
 
! Validate Destination MAC in Ethernet header matches ARP body
ip arp inspection validate dst-mac
 
! Validate IP address fields
ip arp inspection validate ip
 
! Enable all validations at once
ip arp inspection validate src-mac dst-mac ip
 
! ================================================
! Step 5: Configure Logging
! ================================================
 
! Default: Log all dropped packets
! Can configure log buffer and rate
 
! Set log buffer entries
ip arp inspection log-buffer entries 1024
 
! Set logging rate
ip arp inspection log-buffer logs 10 interval 5
 
! Enable VLAN-level logging
ip arp inspection vlan 10 logging acl-match none
ip arp inspection vlan 10 logging dhcp-bindings permit
 
! ================================================
! Step 6: Error Recovery Configuration
! ================================================
 
! Enable automatic recovery from error-disabled state
errdisable recovery cause arp-inspection
errdisable recovery interval 300  ! 5 minutes
 
! ================================================
! Verification Commands
! ================================================
 
! Verify DAI status
show ip arp inspection
 
! Verify per-VLAN status
show ip arp inspection vlan 10
 
! View DAI statistics
show ip arp inspection statistics
 
! View interfaces
show ip arp inspection interfaces
 
! View log buffer
show ip arp inspection log
 
! ================================================
! Example DAI Status Output
! ================================================
! Source MAC Validation      : Enabled
! Destination MAC Validation : Enabled  
! IP Address Validation      : Enabled
!
! Vlan     Configuration    Operation   ACL Match          Static ACL
! ----     -------------    ---------   ---------          ----------
!   10     Enabled          Active      None               None
!   20     Enabled          Active      None               None
 
! ================================================
! Troubleshooting: View dropping stats
! ================================================
show ip arp inspection statistics vlan 10
 
! Look for:
! - Forwarded, Dropped, DHCP Drops, ACL Drops
! - High drop counts may indicate attack OR misconfiguration

Rate Limit Tuning Critical

ARP Access Control Lists (ARP ACLs)

When ARP ACLs Are Needed:

Servers with static IP addresses
Network infrastructure devices
Printers and other devices not using DHCP
Any device with manually configured IP

ARP ACL Processing:

DAI checks DHCP Snooping binding table first
If no match, DAI checks ARP ACLs
ARP ACL can permit or deny based on IP-to-MAC mapping
If neither matches, packet is dropped

arp_acl_config.ios

Cisco IOS

! ================================================
! ARP Access Control List Configuration
! ================================================
 
! Create ARP ACL for static IP hosts
arp access-list STATIC-SERVERS
  ! Format: permit ip host <ip> mac host <mac>
  
  ! Web Server
  permit ip host 192.168.10.10 mac host 0000.1111.2222
  
  ! Database Server
  permit ip host 192.168.10.11 mac host 0000.1111.3333
  
  ! File Server
  permit ip host 192.168.10.12 mac host 0000.1111.4444
  
  ! Print Server
  permit ip host 192.168.10.20 mac host 0000.2222.1111
  
  ! Domain Controller
  permit ip host 192.168.10.5 mac host 0000.3333.1111
  
  ! DNS Server
  permit ip host 192.168.10.2 mac host 0000.3333.2222
  
  ! Gateway (if needed)
  permit ip host 192.168.10.1 mac host 0000.4444.1111
 
! Apply ARP ACL to VLAN
! Note: static keyword determines behavior if no match
ip arp inspection filter STATIC-SERVERS vlan 10
 
! With 'static' keyword: Only ARP ACL is checked (DHCP bindings ignored)
ip arp inspection filter STATIC-SERVERS vlan 10 static
 
! Without 'static': ACL checked first, then DHCP bindings
! This is useful when you have both static and DHCP hosts
 
! ================================================
! Multiple VLANs with Different ACLs
! ================================================
 
arp access-list SERVER-VLAN-HOSTS
  permit ip host 10.10.10.10 mac host aaaa.bbbb.cccc
  permit ip host 10.10.10.11 mac host aaaa.bbbb.dddd
 
arp access-list MANAGEMENT-HOSTS
  permit ip host 10.20.20.1 mac host cccc.dddd.eeee
  permit ip host 10.20.20.2 mac host cccc.dddd.ffff
 
ip arp inspection filter SERVER-VLAN-HOSTS vlan 100
ip arp inspection filter MANAGEMENT-HOSTS vlan 200
 
! ================================================
! Using IP and MAC Ranges (Advanced)
! ================================================
 
arp access-list PRINTER-RANGE
  ! Permit a range of printer IPs with corresponding MACs
  permit ip host 192.168.10.30 mac host 0011.2233.4401
  permit ip host 192.168.10.31 mac host 0011.2233.4402
  permit ip host 192.168.10.32 mac host 0011.2233.4403
  ! For true range, need individual entries
 
! ================================================
! Verification
! ================================================
 
! Show configured ARP ACLs
show arp access-list
 
! Show which ACLs are applied to which VLANs
show ip arp inspection
 
! Detailed per-VLAN
show ip arp inspection vlan 10
 
! ================================================
! Common Mistake: Forgetting DHCP Hosts
! ================================================
 
! If you use 'static' keyword, DHCP clients won't work!
! Only use 'static' on VLANs where ALL hosts are static.
 
! Bad (DHCP clients will be blocked):
ip arp inspection filter SERVERS vlan 10 static
 
! Good (both ACL and DHCP bindings checked):
ip arp inspection filter SERVERS vlan 10
 
! ================================================
! Maintaining ARP ACLs at Scale
! ================================================
 
! For large deployments, generate ACLs from CMDB/IPAM
! Example: Script to generate Cisco config from CSV
 
! Input CSV: ip,mac,description
! 192.168.10.10,0000.1111.2222,Web Server
! 192.168.10.11,0000.1111.3333,Database Server
 
! Generated config would be:
! arp access-list STATIC-SERVERS
!   permit ip host 192.168.10.10 mac host 0000.1111.2222
!   permit ip host 192.168.10.11 mac host 0000.1111.3333

ARP ACL Best Practices

•Document all static IP assignments
•Verify MAC addresses before adding
•Use descriptive ACL names
•Audit ACLs periodically
•Automate from IPAM database

Common ARP ACL Mistakes

•Typos in MAC addresses
•Using 'static' with DHCP hosts
•Forgetting to update after NIC replacement
•Wrong VLAN assignment
•Missing entries for new servers

Automation Recommendation

Rate Limiting and DoS Protection

Rate Limiting Mechanics:

Configured per-interface on untrusted ports
Measured in ARP packets per second
Exceeding the limit error-disables the port
Protects switch CPU and network

Default Values and Recommendations:

DAI Rate Limit Recommendations
Environment	Recommended Limit	Burst Interval	Rationale
User workstation	15-25 pps	1 second	Normal user generates few ARPs
Power user/Developer	30-50 pps	1 second	More active network usage
Server (non-virtualized)	50-100 pps	1 second	Multiple services may generate ARPs
Virtualized host	100-500 pps	1 second	Many VMs sharing single physical port
Network infrastructure	Trust port	N/A	Don't rate limit trusted ports

rate_limit_config.ios

Cisco IOS

! ================================================
! DAI Rate Limiting Configuration
! ================================================
 
! Basic rate limit (packets per second)
interface GigabitEthernet0/10
  ip arp inspection limit rate 20
 
! Rate limit with burst (higher temporary rate allowed)
interface GigabitEthernet0/11
  ip arp inspection limit rate 20 burst interval 3
  ! Allows 60 packets over 3 seconds (average 20 pps)
 
! No rate limit (effectively unlimited - use with caution)
interface GigabitEthernet0/12
  ip arp inspection limit rate none
  ! WARNING: Only use for known high-ARP hosts
 
! ================================================
! Rate Limits for Different Port Types
! ================================================
 
! Standard user ports
interface range GigabitEthernet0/1 - 24
  ip arp inspection limit rate 25
 
! Server ports (non-virtualized)
interface range GigabitEthernet0/25 - 36
  ip arp inspection limit rate 100
 
! Virtualization host ports (many VMs)
interface range GigabitEthernet0/37 - 48
  ip arp inspection limit rate 500 burst interval 1
 
! ================================================
! Error Recovery Configuration
! ================================================
 
! Enable automatic recovery from rate limit violations
errdisable recovery cause arp-inspection
errdisable recovery interval 300  ! 300 seconds = 5 minutes
 
! Show error-disabled status
show interfaces status err-disabled
 
! Manual recovery
interface GigabitEthernet0/10
  shutdown
  no shutdown
 
! ================================================
! Monitoring Rate Limit Violations
! ================================================
 
! View DAI statistics including rate violations
show ip arp inspection statistics
 
! Example output:
! Vlan   Forwarded    Dropped   DHCP Drops   ACL Drops   Rate Limit
! ----   ----------   -------   ----------   ---------   ----------
!   10         1523        15            0          15            0
!   20          847         0            0           0            0
 
! Non-zero "Rate Limit" indicates violations
 
! ================================================
! Tuning Approach
! ================================================
! 
! 1. Start with conservative limits (15-20 pps)
! 2. Monitor for err-disabled ports
! 3. Check legitimate ARP rates:
!    show ip arp inspection interfaces
! 4. Increase limits for ports with violations
! 5. Document exceptions and justification

VoIP Phones May Generate High ARP

Understanding Burst Intervals:

The burst interval allows temporary spikes above the rate limit:

ip arp inspection limit rate 20 burst interval 3

Rate: 20 packets per second
Burst interval: 3 seconds
Effective limit: 60 packets over 3 seconds
Behavior: Port can send 60 packets in the first second if needed, but must average ≤20 pps over 3 seconds

When to Use Burst:

Boot storms (devices starting up need many ARPs quickly)
VLAN changes (moving to new network triggers ARP)
Network re-convergence after outage

Logging and Monitoring

Effective DAI deployment requires comprehensive logging and monitoring. Logs help identify attacks, troubleshoot issues, and verify protection is working.

DAI Log Information:

DAI logs the following information for dropped packets:

Source MAC and IP from ARP packet
Destination MAC and IP from ARP packet
Interface where packet was received
VLAN
Reason for drop (binding mismatch, ACL deny, rate limit)

Logging Configuration:

dai_logging.ios

Cisco IOS

! ================================================
! DAI Logging Configuration
! ================================================
 
! Configure log buffer size (number of entries)
ip arp inspection log-buffer entries 1024
 
! Configure logging rate (entries per interval)
ip arp inspection log-buffer logs 10 interval 60
! Generates max 10 log entries per 60 seconds
 
! ================================================
! Per-VLAN Logging Options
! ================================================
 
! Log packets dropped due to ACL
ip arp inspection vlan 10 logging acl-match
! Options: matchlog, none
 
! Log packets matching DHCP bindings (permits)
ip arp inspection vlan 10 logging dhcp-bindings permit
 
! ================================================
! View DAI Logs
! ================================================
 
! Show log buffer
show ip arp inspection log
 
! Example output:
! Total Log Buffer Size : 1024
! 
! Syslog rate : 10 entries per 60 seconds.
! 
! Interface         Vlan   Sender MAC        Sender IP       Target MAC       Target IP
! ---------         ----   ------------      ----------      ------------     ---------  
! Gi0/10             10    0000.1111.2222    192.168.10.99   0000.0000.0000   192.168.10.1
!   Dropped by ARP ACL: STATIC-SERVERS
!   00:15:32 UTC Jan 15 2024
! 
! Gi0/15             10    0000.aaaa.bbbb    192.168.10.50   0000.0000.0000   192.168.10.1
!   Dropped by DHCP Snooping binding
!   00:16:45 UTC Jan 15 2024
 
! ================================================
! Syslog Integration
! ================================================
 
! DAI generates syslog messages automatically
! Configure syslog server
logging host 10.10.10.100
logging trap informational
 
! Example syslog messages:
! %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi0/10, 
!   vlan 10.([0000.1111.2222/192.168.10.99/0000.0000.0000/192.168.10.1])
 
! ================================================
! SNMP Notifications
! ================================================
 
! Enable SNMP traps for DAI
snmp-server enable traps arp-inspection
 
! Configure SNMP server
snmp-server host 10.10.10.101 version 2c public
 
! ================================================
! Monitoring Script Example (for SIEM)
! ================================================
 
! Parse syslog for this pattern:
! %SW_DAI-4-DHCP_SNOOPING_DENY
! 
! Extract:
! - Interface (Gi0/10)
! - VLAN (10)
! - Source MAC (0000.1111.2222)
! - Source IP (192.168.10.99)
! - Timestamp
!
! Alert if:
! - Same source MAC with multiple source IPs (spoofing)
! - High volume from single port (attack in progress)
! - Critical IPs appearing in drops (misconfiguration)

SIEM Integration for DAI Alerts:

For enterprise environments, integrate DAI logs with your Security Information and Event Management (SIEM) system:

Alert Conditions:

Multiple drops from same source — Likely attack in progress
Drops for gateway IP — Someone attempting gateway impersonation
Drops after hours — Reconnaissance activity
New MAC appearing for known IP — Possible spoofing
Rate limit violations — DoS attempt or misconfigured device

Correlation with Other Events:

Combine DAI drops with failed authentication attempts
Cross-reference with network flow data
Correlate with endpoint detection events

Dashboard Recommendation

Troubleshooting DAI Issues

DAI deployment often encounters issues. Knowing how to quickly diagnose and resolve problems minimizes network disruption.

Common Issues and Solutions:

Symptom: Host loses network connectivity after DAI enabled

Diagnosis:

! Check if DAI is dropping packets
show ip arp inspection statistics vlan 10

! Look for the host in binding table
show ip dhcp snooping binding | include <IP>

! Check DAI log for drops
show ip arp inspection log

Common Causes:

Static IP host not in ARP ACL

Solution: Add to ARP ACL

arp access-list STATIC-HOSTS
  permit ip host 192.168.10.50 mac host 0000.1234.5678
ip arp inspection filter STATIC-HOSTS vlan 10

DHCP binding not in table
- May occur if DHCP Snooping enabled after host got IP
- Solution: Have host renew DHCP lease
```
! On host: ipconfig /release then /renew
```

Port is error-disabled

show interfaces status err-disabled
! If error-disabled, check if rate limit was exceeded
! Recover:
interface Gi0/10
  shutdown
  no shutdown

Wrong VLAN in ARP ACL filter
- Check ACL is applied to correct VLAN
```
show ip arp inspection
```

dai_troubleshooting.ios

Cisco IOS

! ================================================
! Complete DAI Troubleshooting Command Reference
! ================================================
 
! Overall DAI status
show ip arp inspection
 
! Per-VLAN DAI status
show ip arp inspection vlan 10,20,30
 
! DAI statistics (drops, forwards, etc.)
show ip arp inspection statistics
show ip arp inspection statistics vlan 10
 
! Interface configuration and rate limits
show ip arp inspection interfaces
 
! DAI log buffer (dropped packets)
show ip arp inspection log
 
! DHCP Snooping binding table
show ip dhcp snooping binding
show ip dhcp snooping binding vlan 10
show ip dhcp snooping binding interface Gi0/10
 
! ARP ACL configuration
show arp access-list
 
! Error-disabled ports
show interfaces status err-disabled
 
! Clear DAI statistics
clear ip arp inspection statistics
 
! Clear DAI log
clear ip arp inspection log
 
! Debug DAI (use with caution - CPU intensive)
debug arp inspection
 
! ================================================
! Verification Checklist After Enabling DAI
! ================================================
 
! 1. Verify DAI is active on expected VLANs
show ip arp inspection | include Active
 
! 2. Verify trusted ports are correct
show ip arp inspection interfaces | include Trust
 
! 3. Verify DHCP bindings exist
show ip dhcp snooping binding | count
 
! 4. Verify ARP ACLs are applied
show running-config | include ip arp inspection filter
 
! 5. Check for drops (should be zero initially)
show ip arp inspection statistics | include Dropped
 
! 6. Check for error-disabled ports
show interfaces status err-disabled

Summary: Dynamic ARP Inspection

Key Implementation Points:

Key Takeaways

•DAI requires DHCP Snooping — Enable and verify DHCP Snooping first. The binding table is DAI's source of truth for DHCP hosts.
•Configure ARP ACLs for static IPs — Hosts not using DHCP won't be in the binding table. Create explicit ACL entries to permit them.
•Tune rate limits for your environment — Default 15 pps is conservative. Virtualized hosts and servers need higher limits.
•Configure error recovery — Enable errdisable recovery to automatically restore ports that hit rate limits.
•Integrate logging with SIEM — DAI logs are security-relevant. Forward to your SIEM for correlation and alerting.
•Test before production deployment — DAI misconfigurations cause outages. Test in lab environment first.

Complete Security Architecture:

For maximum Layer 2 security, deploy all related controls:

Control	Purpose
DHCP Snooping	Block rogue DHCP, build binding table
DAI	Validate ARP against bindings
IP Source Guard	Validate IP packets against bindings
Port Security	Limit MAC addresses per port
802.1X	Authenticate devices before network access
Private VLANs	Isolate hosts within VLANs

This comprehensive approach addresses the full spectrum of Layer 2 attack vectors.

Module Complete