Users Guide

ManualsBrandsDell ManualsAccess PlatformsOS9

301

302

303

304

305

306

307

308

309

310

The lack of authentication in ARP makes it vulnerable to spoofing. ARP spoofing is a technique attackers use to inject false IP-

to-MAC mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and denial-of-

service (DoS) attacks, among others.

A spoofed ARP message is one in which the MAC address in the sender hardware address field and the IP address in the sender

protocol field are strategically chosen by the attacker. For example, in an MITM attack, the attacker sends a client an ARP

message containing the attacker’s MAC address and the gateway’s IP address. The client then thinks that the attacker is the

gateway, and sends all internet-bound packets to it. Likewise, the attacker sends the gateway an ARP message containing the

attacker’s MAC address and the client’s IP address. The gateway then thinks that the attacker is the client and forwards all

packets addressed to the client to it. As a result, the attacker is able to sniff all packets to and from the client.

Other attacks using ARP spoofing include:

Broadcast An attacker can broadcast an ARP reply that specifies FF:FF:FF:FF:FF:FF as the gateway’s MAC address,

resulting in all clients broadcasting all internet-bound packets.

MAC flooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after

which, traffic from the gateway is broadcast.

Denial of service An attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the

gateway address, which would blackhole all internet-bound packets from the client.

NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM

entry is required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system.

Configuring Dynamic ARP Inspection

To enable dynamic ARP inspection, use the following commands.

1. Enable DHCP snooping.

2. Validate ARP frames against the DHCP snooping binding table.

INTERFACE VLAN mode

arp inspection

To view entries in the ARP database, use the show arp inspection database command.

DellEMC#show arp inspection database

Protocol Address Age(min) Hardware Address Interface VLAN CPU

---------------------------------------------------------------------

Internet 10.1.1.251 - 00:00:4d:57:f2:50 Tf 1/2 Vl 10 CP

Internet 10.1.1.252 - 00:00:4d:57:e6:f6 Tf 1/1 Vl 10 CP

Internet 10.1.1.253 - 00:00:4d:57:f8:e8 Tf 1/3 Vl 10 CP

Internet 10.1.1.254 - 00:00:4d:69:e8:f2 Tf 1/5 Vl 10 CP

DellEMC#

To see how many valid and invalid ARP packets have been processed, use the show arp inspection statistics

command.

DellEMC#show arp inspection statistics

Dynamic ARP Inspection (DAI) Statistics

---------------------------------------

Valid ARP Requests : 0

Valid ARP Replies : 1000

Invalid ARP Requests : 1000

Invalid ARP Replies : 0

DellEMC#

Configuring dynamic ARP inspection-limit

To configure dynamic ARP inspection rate limit on a port, perform the following task.

1. Enter into global configuration mode.

EXEC Privilege mode

Dynamic Host Configuration Protocol (DHCP)

305