Sunday, December 31, 2017
Cisco CCNP:300-115 - 2.1 Configure and verify switch security features: 2.1.c Dynamic ARP inspection
Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.
- Security feature which validates ARP packets in a network
- Dynamic ARP inspects, intercepts, logs and discards ARP pakcets with invalid iP-to-MAC address bindins
- Can protect from certain man-in-the-middle attack
- Ensures only valid ARP requests and responses are relayed
- First step is to intercept all ARP requests and response on untrusted ports
- Next step is to verify the IP-to-MAC binding is valid before updaing the local ARP cache or forwarding the packet to the correct destination
- Drop Invalid ARP Packets
- Validit of an ARP packet is based on valid IP-to-KAC address biding which are stroed in the trusted database known as the DHCP snooping binding database
- The DHCP binding database is built by DHCP snooping if it is enabled on the VLANs and on the switchc
- ARP packets received on trusted interfaces are forwarded without any checks
- ARP packets on untrusted interfaces are only forwarded if they are valid
- Dynamic ARP inspection is enabled on a per VLAN basis using:
SW2(config)#ip arp inspection vlan 30
- Dynamic ARP can also be used in non-DHCP environments
- Dynamic ARP Inspection can be configured to drop packets when the IP address in the packets are invalid
- Dynamic ARP inspection can also drop packets when the MAC address in the body of the ARP packets do not match the address specified in the Ethernet header
Trust States and Network Security
- Dynamic ARP Inspection associates each interface with a trust state
- Traffic coming in on trusted interfaces bypass all dynamic ARP validation checks
- Traffic arriving on untrusted interfaces undergoes the dynamic ARP inspection validation process
- To configure trust setting, use:
SW2(config-if)#ip arp inspection trust
- Configuring interfaces as untrusted when they should be trusted can result in a loss of conectivity
- Dynamic ARP inspection ensures hosts connected to untrusted ports do not poison the ARP caches of other hosts on the network
- By default the rate of untrusted packets is 15 packets per second (pps)
- Trusted interfaces are not rate limited
- When the rate of incoming packets exceeds the configured limit, the interface is placed in "err-disabled" state
- When the port goes into "err-disabled" state, manual intervention is required if global recovery is not configured
- If EtherChannel is in use, each switchport in the Channel operates at 20 pps. If any switch exceeds the limit, the entire Channel is placed in "err-disabled" state
- Dynamic ARP inspection uses the DHCP snooping binding database
- Switches compare ARP packets to user-configured ARP ACLS
- If the ARP ACL denies the ARP packet, then the switch also denies the packet. This is so even if a valid binding exists in the DHCP snooping database
- By Default Dynamic ARP Inspection is disabled on all VLANs
- By Default All interfaces are untrusted
- Dynamic ARP inspection is an ingress security feature
- Dynamic ARP inspection does not perform any egress checking
- Dynamic ARP inspection relies on entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and responses
- Dynamic ARP inspection is supported on access, trunk, EtherChannel and private VLAN ports
- Dynamic ARP inspection should not be enabled on RSPAN VLANs. Packets may not reach the RSPAN destination port
- Physical ports can join the channel group only when the trust state of the physical port matches that of the channel. Otherwise ports remain suspended in the channel
- The rate of incoming packets on a physical port is is checked again the port-channel configs rather than the physical ports configs
- When the EtherChannel receives more packets than the configured rate the interfaces in the channel and the channel are placed in "err-disabled" state
- When Dynamic ARP inspection is configured, ARP traffic policiers are no longer valid
- To see current Dynamic ARP inspection interface status use
SW2#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi1/0/1 Untrusted 15 1
Gi1/0/2 Untrusted 15 1
Gi1/0/3 Untrusted 15 1
.....
Gi1/0/23 Trusted None N/A
References:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/12-2_55_se/configuration/guide/3750xscg/swdynarp.html
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment