Solved: ip arp inspection vs. ip verify source

jackawang · ‎12-01-2011

I'm not quite sure I understand the difference between "ip arp inspection" and "ip verify source". My understanding is that they both leverage "ip dhcp snooping" and check the L2 switchport IP/MAC address against the snooping database. If no entry found, the packets are discarded.

I have the following configured.

Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 10

Switch(config)# ip arp inspection vlan 10

!

Switch(config)# interface f0/10

Switch(config-if)# switchport access vlan 10

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 3

Switch(config-if)# switchport port-security violation shutdown

Switch(config-if)# ip verify source port-security

Can someone tell me what one command does and the other doesn't?

Peter Paluch · ‎12-01-2011

Hello,

DHCP Snooping is the foundation for the IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI). By itself, even without IPSG and DAI, the DHCP Snooping provides you with the following benefits:

It prevents a malicious or inadvertent addition of an unauthorized DHCP server to your network
It prevents the communication between a particular DHCP client and server to leak to other ports, even if the packets are broadcasted
It prevents malicious injection of spoofed or inconsistent DHCP packets on behalf of other clients into network

DHCP Snooping creates a database that contains the MAC, IP, VLAN and port of a client that received an IP address from a DHCP server, including the lease expiration time. This database can be further leveraged to provide additional security.

The IPSG is a protection feature that uses the DHCP Snooping database to make sure that a port accepts only IP packets sourced from an IP address that is recorded in the DHCP Snooping database as pertaining to that port. If the client changes its IP address to a different address that was not assigned to it via DHCP, it will be prohibited from accessing the network.

The DAI is a protection feature that prevents ARP spoofing attacks. In particular, it inspects the contents of ARP messages and verifies whether the Source MAC/IP and Target MAC/IP pairs are correct according to the DHCP Snooping table. This prevents a particular station from sending ARP packets in which it claims to have an IP address of a different station. The DAI feature does not filter or verify IP traffic - it is related only to ARP traffic.

To have the most protection, using all three would be recommendable. However, your basic requirements will be met by running DHCP Snooping and IPSG.

Please feel welcome to ask further!

Best regards,

Peter

View solution in original post

paul driver · ‎12-01-2011

DHCP snooping is only effective when either Ip source binding or DAI are active.

ip verify source is used for Ip source-binding which verify's the ip source only

(ip source binding xxxxx vlan xx ip xxxx interface xx)

(show ip source-binding)

ip verify source port-security is used for DAI which verifys ip and mac address via the dhcp snooping table

show ip dhcp snooping binding

by default all interfaces are in a untrusted state when DAI is enabled

To verify the source mac address DAi checks the dhcp snooping table ( which can be manually edited -

(ip dhcp snooping binding xxxx xxxx vlan xx ip xxx expiry xx secs)

DAI only checks the dhcp snooping table if no filter lists are applied, in fact dhcp snooping can be removed if arp inspection filters are in use as it checks acl before to the snooping table.

ip arp inspection filter TST vlan xxx

arp access-list TST

permit ip xxxx mac host xxxxx

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

jackawang · ‎12-01-2011

Thanks for your quick reply.

I still cannot draw a clear line between "ip arp inspection" and "ip verify source port-security" in the following requirement.

Host should obtain IP address from a DHCP server on the network.

Network access should be blocked if a user tries to statically configure an IP on his PC.

Switch(config)# ip dhcp snooping

Switch(config)# ip dhcp snooping vlan 10

Switch(config)# ip arp inspection vlan 10

!

Switch(config)# interface f0/10

Switch(config-if)# switchport access vlan 10

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 3

Switch(config-if)# switchport port-security violation shutdown

Switch(config-if)# ip verify source port-security

Between "ip arp inspection" and "ip verify source port-security", I don't know which one I should configure or both needed to be configured. Please advise the effect of having only one of each, and both.

Peter Paluch · ‎12-01-2011

Hello,

DHCP Snooping is the foundation for the IP Source Guard (IPSG) and Dynamic ARP Inspection (DAI). By itself, even without IPSG and DAI, the DHCP Snooping provides you with the following benefits:

It prevents a malicious or inadvertent addition of an unauthorized DHCP server to your network
It prevents the communication between a particular DHCP client and server to leak to other ports, even if the packets are broadcasted
It prevents malicious injection of spoofed or inconsistent DHCP packets on behalf of other clients into network

DHCP Snooping creates a database that contains the MAC, IP, VLAN and port of a client that received an IP address from a DHCP server, including the lease expiration time. This database can be further leveraged to provide additional security.

The IPSG is a protection feature that uses the DHCP Snooping database to make sure that a port accepts only IP packets sourced from an IP address that is recorded in the DHCP Snooping database as pertaining to that port. If the client changes its IP address to a different address that was not assigned to it via DHCP, it will be prohibited from accessing the network.

The DAI is a protection feature that prevents ARP spoofing attacks. In particular, it inspects the contents of ARP messages and verifies whether the Source MAC/IP and Target MAC/IP pairs are correct according to the DHCP Snooping table. This prevents a particular station from sending ARP packets in which it claims to have an IP address of a different station. The DAI feature does not filter or verify IP traffic - it is related only to ARP traffic.

To have the most protection, using all three would be recommendable. However, your basic requirements will be met by running DHCP Snooping and IPSG.

Please feel welcome to ask further!

Best regards,

Peter

jackawang · ‎12-02-2011

" The DAI is a protection feature that prevents ARP spoofing attacks. In particular, it inspects the contents of ARP messages and verifies whether the Source MAC/IP and Target MAC/IP pairs are correct according to the DHCP Snooping table. "

My understanding is the dhcp snooping table only contains the source MAC/IP. How does DAI verify the Target Mac/IP if the Target host didn't get IP from dhcp?

The other difference between IPSG and DAI is that DAI is enabled in global mode, IPSG is per interface basis.

Once "ip arp inspection vlan 10" is configured, does it mean that no host on VLAN 10 can access the network unless their IP addresses are in dhcp snooping table?

Peter Paluch · ‎12-02-2011

Hello,

My understanding is the dhcp snooping table only contains the source  MAC/IP. How does DAI verify the Target Mac/IP if the Target host didn't  get IP from dhcp?

The DHCP Snooping database contains simply MAC/IP mappings (along with the VLAN and the port where the client is connected). However, these entries can be used both as source or as destination - depending on the direction of the traffic. The DHCP Snooping database simply says that a particular station (identified by its MAC address) on a particular port is assigned a particular IP address. Whether this IP/MAC is used as a source of traffic or a destination is irrelevant.

Therefore, the DAI can use the DHCP Snooping database in the following ways:

For ARP Requests (broadcast), only the Source MAC/IP fields are verified against the DHCP Snooping database. Target MAC/IP fields in the message are not verified because the Target MAC field is, quite understandably, set to zero in the ARP Request.
For ARP Reply messages (unicast), both Source MAC/IP and Target MAC/IP fields are verified

The other difference between IPSG and DAI is that DAI is enabled in global mode, IPSG is per interface basis.

That is true; however, that is one of the less important differences - it is only about the way of configuring it, not about the actual function of the feature.

Once "ip arp inspection vlan 10" is configured, does it mean that no  host on VLAN 10 can access the network unless their IP addresses are in  dhcp snooping table?

Partially correct. If no MAC/IP bindings are recorded in the DHCP Snooping database, the DAI will not permit any ARP messages received on untrusted ports, unless the DHCP Snooping database is populated. Other packets are permitted as the DAI does not filter any other traffic apart from ARP messages. This, of course, may result in reachability issues.

Please feel welcome to ask further!

Best regards,

Peter

jackawang · ‎12-02-2011

Thanks, Pete. I'm 95% clear now except for one thing

"For ARP Reply messages (unicast), both Source MAC/IP and Target MAC/IP fields are verified."

Does DAI solely rely on dhcp snooping table for verification? If the Target host has a static IP (so its MAC/IP is not in dhcp snooping table), will DAI block the traffic? Assuming the Target host switch port is configured with "ip arp inspection trust".

If it is true, how can we make this situation work without disabling DAI globally?

Peter Paluch · ‎12-02-2011

Hello,

Does DAI solely rely on dhcp snooping table for verification? If the  Target host has a static IP (so its MAC/IP is not in dhcp snooping  table), will DAI block the traffic?

You are still considering the DHCP Snooping database to be directional That is not a correct assumption. Consider two hosts connected to the same switch running DHCP Snooping. Both hosts receive their IP address via DHCP, so the DHCP Snooping database contains MAC/IP mappings for both hosts. Anytime one of the hosts sends an ARP query for the other, both source and target MAC/IP pairs in the ARP response can be verified against the DHCP Snooping database because they are both recorded in it.

There is, of course, a question how to account for stations with static IP addresses, as their MAC/IP won't make it into DHCP Snooping database. There is an option of defining the IP/MAC mapping for DAI purposes statically, using a so-called ARP access list. You may be interested in reading about it more here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/swdynarp.html#wp1039773

Best regards,

Peter

jackawang · ‎12-02-2011

Thank you very much. You answered all my questions.

Peter Paluch · ‎12-02-2011

Hello,

It was a pleasure. Please feel welcome to ask your questions anytime on these forums. Thank you for the generous rating!

Best regards,

Peter

Richard McLoughlin · ‎08-03-2016

Nice concise responses Peter - very useful. And thanks for the link regarding static IP addresses and ARP access lists.

Best

Richard

mohamed_farok · ‎06-30-2012

if i use the command belwo in DAI

ip arp inspection validate src-ip

u said that the DAI

the DAI feature does not filter or verify IP traffic - it is related only to ARP traffic.

i think in these cas if i do that command

if the arp replay packet came with wrong ip address not as in arp body

the viloation occure and arp packet will drop and if it got to the threthodl port will go to erro disable and go down

at these cas we can say that DAI can inspect or prevent the real ip traffic and do as the ip source gurad

kindly send me u answr at arian747g@yahoo.com