IP ARP inspection and IP device tracking

katerina.dardoufa · ‎06-02-2022

Hello all,

could someone briefly explain the difference between ip arp inspection and ip device tracking?

Aren't both solutions used to populate a database with interface/ip/mac/vlan information and if combined with ip source guard protect against man-in-the-middle attacks?

In which situation should each method be preferred?

Thank you in advance,

georgehewittuk1 · ‎06-02-2022

Hi @katerina.dardoufa ,

IP Device Tracking - A feature that sends ARP probes periodically to the connected host. It enables the switch to learn the IP of the connected host. This information can be used for features such as:

Network Mobility Services Protocol (NMSP), Versions 3.2.0E, 15.2(1)E, 3.5.0E and later
Device sensor, Versions 15.2(1)E, 3.5.0E and later
1X, MAC Authentication Bypass (MAB), session manager
Web-based authentication
Auth-proxy
IP Services Gateway (IPSG) for static hosts
Flexible netflow
Cisco TrustSec (CTS)
Media trace
HTTP redirects

Source here.

ARP Inspection - This is an ingress security feature. It aims to protect the ARP cache of hosts in the domain. It depends on the entries in the DHCP snooping binding database. So it's a pre-req that DHCP snooping is enabled to build that binding database dynamically. Can also add static records through an arp access-list for static hosts or exceptions.

arp access-list arp_acl_name -

ip arp inspection filter arp_acl_name vlan vlan-range

An example of ARP-inspection:

If ARP-reply sender ip does not match record in the static/dhcp-snooping binding datastore on record for the port it is dropped.

ARP traffic is allowed to pass as there is a match.

It also does cross checks of the reply sender mac-address and the mac-address in the ARP reply as well as the destination mac-address and target mac-address.

IP Source Guard - It simply is checking the source IP address matches what has been dynamically learned by the DHCP snooping binding table (reliant on this mechanism like the ARP inspection feature) or statically added through:

ip source binding mac-address vlan vlanid ip-address interface interface-id

(Example screenshot i had)

In conclusion, the features have different purposes. DHCP snooping, Dynamic ARP inspection (DAI) and IP Source Guard (IPSG) are ultimately used to prevent different attacks. And IPDT is used from my experience for gathering telemetry (Like in DNA-C it is enabled for wired client information) and where other switch features require the info.

MHM Cisco World · ‎06-02-2022

both is use for l2 security but each one different where we apply it
ip device tracking
the SW for dot1x dacl need ip tracking

ip arp snooping
the SW use the DHCP snooping and port-security table to match the arp receive from port, if the filed in arp is match which both tables then it can be pass otherwise it drop.
note:- you can ip arp snooping to use only dhcp snooping and if your network don't have DHCP then you can use ACL for ip arp snooping

katerina.dardoufa · ‎06-02-2022

Thank you for your answers.

We do use DHCP snooping/ARP Inspection/IP source guard in our environment to protect against L2 attacks. I also understand that you can use IP device tracking to get information about the connected device and if you combine that with "ip verify source tracking port-security" you actually get L2 protection, same as with the more traditional method (DAI). But as I get from the replies device tracking is usually used with dot1x.

I also guess that you can use ip device tracking when static IPs are involved? In that case you don't have to manually configure the dhcp snooping and ip source bindings. Is my understanding correct?

Thanks!