Skip to main content

 

Cisco Meraki Documentation

Dynamic ARP Inspection

Overview

This article explains how to configure Dynamic ARP Inspection (DAI) on MS switches. DAI protects your network against man-in-the-middle ARP spoofing attacks. 

DAI is a security feature in MS switches. It inspects Address Resolution Protocol (ARP) packets on the LAN. It uses the information in the DHCP snooping table to validate them. 

DAI works in three actions: 

  1. It intercepts each ARP packet. 

  1. It compares the packet's MAC and IP information against the MAC-IP bindings in the DHCP snooping table. 

  1. It drops any ARP packet that is inconsistent with the table. 

How ARP works 

Network devices need the IP and MAC address of the hosts they communicate with. ARP determines the MAC address associated with an IP address. Each device stores these IP-to-MAC bindings in its ARP cache. 

Consider this: 

  • Host A wants to communicate with Host B. 

  • Host A does not have Host B's MAC address in its ARP cache. 

  • Host A broadcasts an ARP request to all hosts in the LAN segment. 

  • All hosts in the broadcast domain receive the request. 

  • Only Host B responds with its MAC address. 

How ARP spoofing attacks work 

ARP spoofing is a form of man-in-the-middle attack. It lets an attacker intercept traffic intended for other hosts. 

The attacker sends crafted ARP packets that poison the ARP cache on network devices. The attacker poisons the ARP caches of end hosts, switches, and firewalls on a LAN segment. This redirects traffic to the attacker's machine. 

The example below shows how this attack happens: 

  • Hosts A, B, and C connect to the switch on ports 1, 2, and 3 respectively. 

  • Host A needs to communicate with Host B. It broadcasts an ARP request for 10.10.10.20, the IP address of Host B. 

  • Host B responds. The switch and Host A populate their ARP caches with a binding for IP address 10.10.10.20 and MAC address bb:bb:bb:bb:bb:bb. The switch learns the MAC address of Host B on port 2. 

  • Host C poisons the ARP cache of the switch and Host A. It broadcasts forged ARP responses. These packets falsely claim that IP address 10.10.10.20 exists on cc:cc:cc:cc:cc:cc. 

  • Host A and the switch now use the MAC address "cc:cc.." as the destination for traffic intended for Host B. 

  • The switch forwards all traffic toward 10.10.10.20 to port 3. Host C intercepts that traffic. 

Host C has now inserted itself into the traffic stream from Host A to Host B. This is a classic man-in-the-middle attack. 

Topology with a single switch and three hosts. Host A has an IP address of 10.10.10.10 and a MAC address ending in aa. Host B has an IP address of 10.10.10.20 and a MAC address ending in bb. Host C has an IP address of 10.10.10.30 and a MAC ending in cc. Host C is performing a snooping attack by sending a gratuitous ARP packet stating that 10.10.10.20 is at cc.

How DAI works 

DAI associates a trust state with every port on the switch: 

  • Trusted ports are excluded from DAI validation checks. All ARP traffic is permitted. 

  • Untrusted ports are subject to DAI validation checks. The switch examines ARP requests and responses received on those ports. 

DAI compares the IP-to-MAC binding information in ARP packets to the DHCP snooping table. If no IP-to-MAC entry in the table matches the ARP packet, DAI drops the packet. DAI does not update the local ARP cache with that information. 

Configure only ports facing end hosts as untrusted (Trusted: disabled). Configure ports connecting network devices such as switches or wireless access points as trusted. This avoids connectivity issues. 

MS Classic switches implement DAI with the IP validation feature enabled. Classic switches check the IP in the ARP packet to confirm it is a valid address. Cloud-managed Catalyst switches perform basic DAI with no validation options enabled. 

Prerequisites 

Supported models and firmware 

DAI is supported on the following models. The minimum required firmware is the oldest version that supports this functionality on the platform. It is not the same as the recommended firmware. Meraki recommends using the latest GA or RC firmware release for this feature. 

MS Switch Family MS Switch Model Minimum Required Firmware
MS100 series MS120, MS125, MS130, & MS150 MS 16 / MS17 (MS150)
MS200 series MS210, MS225 & MS250 MS 10
MS300 series MS350 & MS355 MS10
MS300 series MS390 MS12
MS400 series MS410, MS425 & MS450 MS 10
C9300 series C9300-M CS 15

DHCP requirement 

DAI relies on DHCP snooping table information to perform validation. 

If the switch has no corresponding entry in its DHCP snooping table, and an ARP packet arrives on an untrusted port, DAI validation fails. The switch drops the ARP packet. Use DAI only for DHCP-enabled subnets. 

Step-by-step instructions 

  1. Configure trusted ports before enabling DAI. Refer to Switching > Monitor > Switch ports. By default, all ports are marked untrusted (disabled). 

DAI relies on DHCP snooping table information to perform validation. If a switch does not have a corresponding entry in its DHCP Snooping table, and an ARP packet arrives on an untrusted port, DAI validation will fail and the ARP packet will be dropped. It is therefore recommended to use DAI only for DHCP enabled subnets.  

On the switch port configuration, the Trusted parameter is being set to enabled.

  1. Navigate to Switching > Monitor > DHCP Servers & ARP

The Meraki dashboard menu for 'DHCP servers and ARP' has been selected

  1. Enable DAI. DAI is disabled by default. 

The DAI status is being moved from the default disabled value to enabled 

A warning appears if you enable DAI without configuring trusted ports. 

Two warning messages are present. The first states 'Dynamic ARP Inspection is not support on MS220 and MS320 switches. The settings below will be omitted by the following switches" The second warning states "There are switches in your network don't have trusted ports enabled. This could cause connectivity issues for clients on the following switches"

Verification 

Confirm that DAI is working by reviewing DAI Blocked Events. When a client device attempts to spoof an IP address, traffic on the switch port fails validation. DAI then takes action.

Find these events in either of these locations: 

  • Network-wide > Monitor > Event log 

  • The switch-related page under Switching > Monitor > DHCP servers & ARP 

The events list the following details: 

  • The source MAC address. 

  • The VLAN where the traffic was identified. 

  • The likely IP address. 

  • Timestamps of the events. 

  • The total count of the events. 

The DAI Blocked event log. Multiple clients are listed with their MAC address, VLAN, Likely IP Address, Last and First seen times and Count in the table columns

Troubleshooting 

DAI blocks static IP addresses 

DAI blocks static IP addresses configured directly on devices. This is expected behavior. These events are tracked in the DHCP Tracker folder. 

Allow entries flagged incorrectly 

DAI may flag a client incorrectly. In this case, add the entry to the Allow list so the traffic is not dropped. 

Allowing an entry adds it to the DHCP snooping table as a valid snoop entry. This ties the MAC address of the client to the IP address in the table. DAI no longer flags the traffic as invalid or malicious. 

To allow a blocked entry: 

  1. Refer to Switching > Monitor > DHCP servers & ARP

  1. In the DAI Blocked Events, select the entry you wish to allow. 

  1. Select Move to allow list

The DAI Blocked event log. Multiple clients are listed with their MAC address, VLAN, Likely IP Address, Last and First seen times and Count in the table columns

The selected entry now appears under the Allow listed snoop entries section. Traffic from this MAC address using this IP address is no longer blocked by DAI. 

The client from the previous screenshot now exists in a separate table named 'Allow listed snoop entries'

The Allow listed snoop entries section is expected to be empty during normal operation. IP-to-MAC bindings learned via the DHCP snooping table do not appear here. The section populates only after a client is manually moved or added. 

  • Was this article helpful?