32-3
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter32 Understanding and Conf iguring Dynamic ARP Inspection
Overview of Dynamic ARP Inspection
Interface Trust State, Security Coverage and Network Configuration
DAI associates a trust state with each interface on the system. Packets arriving on trusted interfaces
bypass all DAI validation checks, while those arriving on untrusted interfaces go through the DAI
validation process. In a typical network configuration for DAI, all ports connected to host ports are
configured as untrusted, while all ports connected to switch es are configured as trusted. With this
configuration, all ARP packets entering the network from a given switch will have passed the security
check.
Figure32-2 Validation of ARP Packets on a DAI-enabled VLAN
Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be
trusted can result in a loss of connectivity. If we assume that both S1 and S2 (in Figure 32-2) run DAI
on the VLAN ports that contains H1 and H2, and if H1 and H2 wer e to acquire their IP addresses from
the DHCP server connected to S1, then only S1 binds the IP to MAC address of H1. Therefore, if the
interface between S1 and S2 is untrusted, the ARP packets from H1 ge t dropped on S2. This condition
would result in a loss of connectivity between H1 and H2.
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the
network. If S1 were not running DAI, then H1 can easily poison the ARP of S2 (and H2, if the inter-
switch link is configured as trusted). This condition can occur even though S2 is running DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the
ARP caches of other hosts in the network. It does not, however, ensure that hosts from other portions of
the network do not poison the caches of the hosts connected to it.
To handle cases in which some switches in a VLAN run DAI and other switches do not, the interfaces
connecting such switches should be configured as untrusted. To validate the bindings of packets from
non-DAI switches, however, the switch running DAI should be configured with ARP ACLs. When it is
not feasible to determine such bindings, switches running DAI should be isolated from non-DAI
switches at Layer 3.
Note Depending on the setup of the DHCP server and the network, it may not be possible to perform validation
of a given ARP packet on all switches in the VLAN.
DHCP server
Switch S1 Switch S2
Host H1 Host H2
Fa6/4 Fa3/4
Fa6/3 Fa3/3
94075