Address Resolution Protocol (ARP) is used to map IP addressing to MAC
addresses in a local area network segment where hosts of the same subnet
reside. Normally, a host will send out a broadcast ARP request to find the MAC
address of another host with a particular IP address and an ARP response will
come from the host whose address matches the request. The requesting host will
then cache this ARP response.
ARP Spoofing
Within the ARP protocol a provision is made for
hosts to perform unsolicited ARP replies. The unsolicited ARP replies are
called gratuitous ARPs (GARP). GARP can be exploited maliciously by an attacker
to spoof the identity of an IP address on a LAN segment. Typically, this is
used to spoof the identity between two hosts or all traffic to and from a
default gateway in a Man in the Middle attack.
By crafting an ARP reply,
a network attacker can make their system appear to be the destination host
sought by the sender
. The ARP reply
causes the sender to store the MAC address of the attacking system in the ARP
cache. This MAC address is also stored by the switch in its CAM table. In this
way the network attacker has inserted the MAC address of his or her system into
both the CAM table of the switch and the ARP cache of the sender. This allows
the network attacker to intercept frames destined for the host that is being
spoofed.
DHCP Snooping
A solution that can be used to mitigate
various ARP-based network exploits is the use of DHCP snooping
. DHCP
Snooping provides security by filtering trusted DHCP messages and then using
these messages to build and maintain a DHCP snooping binding table. DHCP
Snooping considers DHCP messages originating from any user facing port that is
not a DHCP server port or an uplink to a DHCP server as untrusted. From a DHCP
Snooping perspective these untrusted, user-facing ports should not send DHCP
server type responses such as DHCPOffer, DHCPAck, or DHCPNak.
DHCP
snooping acts like a firewall between untrusted hosts and DHCP servers. It also
gives the adminstrator a way to differentiate between untrusted interfaces
connected to the end user and trusted interfaces connected to the DHCP server
or another switch.
DHCP Snooping Configuration Guidelines
These are the
configuration guidelines for DHCP snooping.
- DHCP snooping must be enabled globally on the switch.
- DHCP snooping is not active until DHCP snooping is enabled on a VLAN.
- Before configuring the DHCP information option on the switch, make sure to
configure the device that is acting as the DHCP server. For example, you must
specify the IP addresses that the DHCP server can assign or exclude must be
specified, or DHCP options for devices must be configured.
The steps to configure DHCP snooping are shown in Figure
.
The DHCP Snooping Binding Table
The DHCP snooping binding table
contains the MAC address, IP address, lease time, binding type, VLAN number,
and interface information corresponding to the local untrusted interfaces of a
switch. The table does not have information about hosts interconnected with a
trusted port because each interconnected switch has its own DHCP snooping
binding table.
An untrusted interface is an interface configured to
receive messages from outside the network or firewall. A trusted interface is
an interface that is configured to receive only messages from within the
network. The DHCP snooping binding table can contain both dynamic as well as
static MAC address to IP address bindings.
The
show ip dhcp snooping binding command displays the DHCP
snooping binding entries for a switch, as shown in Figure
.
Dynamic ARP Inspection
Dynamic ARP Inspection (DAI) determines
the validity of an ARP packet based on the valid MAC address to IP address
bindings stored in a DHCP snooping database. Additionally, DAI can validate ARP
packets based on user-configurable ACLs. This allows for the inspection of ARP
packets for hosts using statically configured IP addresses. DAI allows for the
use of per-port and VLAN Access Control Lists (VACLs) to limit ARP packets for
specific IP addresses to specific MAC addresses.
 |
NOTE:
Dynamic ARP Inspection (DAI) is not available on the Cisco Catalyst
2950 switch. DAI is available on Catalyst models 3550 and higher.
|