38-3
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
OL-4266-08
Chapter 38 Configuring Dynamic ARP Inspection
Understanding DAI
DAI ensures that only valid ARP requests and responses are relayed. The router performs these
activities:
• Intercepts all ARP requests and responses on untrusted ports
• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet to the appropriate destination
• Drops invalid ARP packets
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a
trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if
DHCP snooping is enabled on the VLANs and on the router. If the ARP packet is received on a trusted
interface, the router forwards the packet without any checks. On untrusted interfaces, the router forwards
the packet only if it is valid.
DAI can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with
statically configured IP addresses (see “Applying ARP ACLs for DAI Filtering” section on page 38-8).
The router logs dropped packets (see the “Logging of Dropped Packets” section on page 38-5).
You can configure DAI to drop ARP packets when the IP addresses in the packets are invalid or when
the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet
header (see the “Enabling Additional Validation” section on page 38-11).
Interface Trust States and Network Security
DAI associates a trust state with each interface on the router. Packets arriving on trusted interfaces
bypass all DAI validation checks, and those arriving on untrusted interfaces undergo the DAI validation
process.
In a typical network configuration, you configure all router ports connected to host ports as untrusted
and configure all router ports connected to routers as trusted. With this configuration, all ARP packets
entering the network from a given router bypass the security check. No other validation is needed at any
other place in the VLAN or in the network. You configure the trust setting by using the ip arp inspection
trust interface configuration command.
Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be
trusted can result in a loss of connectivity.
In Figure 38-2, assume that both Router A and Router B are running DAI on the VLAN that includes
Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to
Router A, only Router A binds the IP-to-MAC address of Host 1. Therefore, if the interface between
Router A and Router B is untrusted, the ARP packets from Host 1 are dropped by Router B. Connectivity
between Host 1 and Host 2 is lost.
To Next Page
Loading...
Need help?
General
