Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the working principle and testing of Dynamic ARP Inspection, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

one。 How it works:

a. According to the MAC address and IP address binding table formed by DHCP Snooping or manual method, the illegal access MAC address in the network is determined.

b. At the same time, in order to prevent malicious ARP spoofing, you can also limit the speed of the arp request packet of the interface.

-the test found that arp requests and replies (including unreasonable arp) for untrusted ports are discarded, so it is not necessary to impose speed limits on untrusted ports (no manual modification of DHCP binding table or exclusion with arp access-list).

two。 Test the topology:

Test the switch IOS:

-- Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2 (55) SE3, RELEASE SOFTWARE (fc1)

three。 Configuration steps:

a. Switch:

① enables DHCP Snooping globally

Ipdhcp snooping

② enables DHCP Snooping on VLAN 11

Ipdhcp snooping vlan 11

③ specifies that the interface connecting to R2 (DHCP server) is the trusted interface

Interface FastEthernet0/2

Ip dhcp snooping trust

④ opens DAI on VLAN 11

Ip arp inspection vlan 11

B.DHCP server configuration:

① sets ip address pool

Ip dhcppool dhcppool

Network 10.1.1.0 255.255.255.0

Default-router 10.1.1.2

② Trust 82 option

Interface GigabitEthernet0/0

Ip dhcp relay information trusted

four。 Test:

Both A.R1 and PC1 act as DHCP clients

-there is a mac address and IP comparison table of both R1 and PC1 in the DHCP Snooping binding table, so when R1 goes to ping PC1, the ARP Reply packet of PC1 can be forwarded normally by the switch, and vice versa, so it can ping.

b. Manually specify the IP of PC as an address other than DHCP dispatch

-for example, 10.1.1.130

-there is no PC1 mac address and IP comparison table in the DHCP Snooping binding table, and the log is reported immediately:

* Mar 200 Req 45 on Fa0/9 40.424:% SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Fa0/9, vlan 11. ([0050.56bc.9f6a/10.1.1.130/0000.0000.0000/10.1.1.130/00:45:40 UTC Tue Mar 2

-at this time, R1 ping PC1 is not available. Grab the packet on PC1 and you can see the arp request packet sent by R1. PC also replied to R1 with an arp reply packet, but the show arp on R1 has no arp record of PC1. It can be seen that DAI judges according to the DHCP Snooping binding table. If there is no record, the arp reply packet of this port is discarded.

-if the PC1 fails to ping the interface address of R1 at this time, you can see that the arp request packet sent is not answered at all, and the debug cannot see the arp request on R1, which means that after DAI is enabled, DAI discards the ARPrequest packet of the unrecorded interface.

-it can be seen that the switch does not record the DHCP Snooping binding table and the ARP reply packet and request packet of the interface without special settings will be discarded.

c. The solution to the absence of records in the DHCNP Snooping binding table

-although R1 and PC1 can communicate with each other as DHCP clients, they both cannot ping the address of the 10.1.1.2 server.

-the reason is that DAI checked that the DHCP binding table did not have an entry of 10.1.1.2 and discarded the ARP Reply packet replied by 10.1.1.2

-at this time, R2 can receive Arp Request packets sent by R1 and PC1, so its arp cache contains entries for R1 and PC1.

-if R2's ARP records are manually added on R1 and PC1, they can PING R2

① specifies that the device interface connecting to the static IP is the trusted interface

SW1 (config-if) # ip arp inspection trust

② sets arp access-list and calls when vlan arp censors filtering

Arp access-list testarp

Permit ip host 10.1.1.2 mac host 0002.0002.0002

Ip arp inspection filter testarp vlan 11

-this static is optional. What's the difference between input and no input? it hasn't been tested.

-No check is made when entering an arp access-list name, and no prompt is given even if the name does not exist

③ adds static entries to the DHCP Snooping table

Ip source binding 0002.0002.0002 vlan 11 10.1.1.2 interface Fa0/2

-after the addition, you can view it with the following command: show ip source binding displays dynamic and static binding items

After reading the above, do you have any further understanding of the working principle and testing of Dynamic ARP Inspection? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.