Config Lab: DAI 1

Wendell Odom
By Wendell Odom October 8, 2021 17:05

IP uses Address Resolution Protocol (ARP) to discover the MAC address used by other hosts in the same subnet. Unfortunately, cybersecurity attacks often use legitimate protocols in unintended ways to form an attack, and ARP is no exception.

To help prevent ARP-based attacks, engineers can enable the Dynamic ARP Inspection (DAI) feature of LAN switches. DAI in a switch monitors ARP messages flowing through the switch, filtering messages based on a set of rules. Notably, DAI compares ARP messages to tables of legitimate data about IP/MAC address pairs, with the DHCP Snooping feature gathering that data based on DHCP messages. In this lab, you configure both DAI and DHCP snooping on two different switches and examine the minor differences in configuration.

All about Config Labs

The blog has a series of lab exercises called “Config Labs.” Each lab presents a topology with the relevant initial configuration for each device. The lab also lists new requirements, after which you should create the additional configuration to meet those requirements. You can do the lab on paper, in a text editor, or use software tools like Cisco Packet Tracer or Cisco Modeling Labs.

Once you have created your answer, you can click various tabs at the bottom of this post to see the lab answers, comments about the lab, and other helpful information.

The Lab Exercise

The Lab Exercise

Many cybersecurity attacks use established protocols like DHCP and ARP to find a way to learn information and cause problems in a network. Two switch features, DHCP Snooping and Dynamic ARP Inspection (DAI), prevent attacks based on DHCP and ARP, respectively. Both use a similar configuration model to enable the feature in a VLAN and then either trust or not trust each switch port.

DAI relies on a list of valid IP/MAC address pairs. The list includes IP/MAC address pairs considered to be legitimate in the subnet. DAI then monitors incoming ARP messages on untrusted ports, comparing the ARP messages to the table of legitimate address pairs and filtering the messages that do not conform to the entries in the table.

DAI uses a table built by DHCP Snooping or by ARP ACLs. For this lab, configure DHCP Snooping correctly, which causes DHCP Snooping to create a table called the DHCP Snooping Binding Table. This table lists the IP/MAC address pairs for any host that successfully leased an IP address. Then also configure DAI so that it uses the DHCP Snooping Binding table to make its decisions.

 

For this lab, take these specific steps.

  1. Configure DHCP Snooping as follows:
    1. Enable DHCP Snooping in VLAN 10.
    2. Switch SW1 operates as a layer 2 switch, not a layer 3 switch, so disable the insertion of DHCP Option 82 headers.
    3. Configure (or use the default) so each switch port is either trusted or untrusted for DHCP Snooping.
  2. Configure DAI as follows:
    1. Enable DAI in VLAN 10.
    2. Analyze the devices attached to the switch and ask yourself: Which devices will have entries in the DHCP Snooping Binding table? Then, make a note of those devices and switch ports.
    3. Configure (or use the default) so each switch port is either trusted or untrusted for DAI Snooping.

 

Initial Configurations

The initial configuration on switch SW1 places all four of its ports into the same VLAN (VLAN 10). In addition, the router has an IP address configured on its LAN interface (G0/0) so that it can ping the DHCP server’s address on the LAN. The router should also be able to ping the client PCs once they lease an IP address.

Example 1: SW1 Config

 

Example 2: R1 Config

 

The PCs each act as a DHCP client, expecting to lease an IP address and learn the mask and default gateway settings from the DHCP server. You can assume the DHCP Server shown in the figure works. However, to be complete, Example 5 shows the IOS DHCP server configuration that you could use to support this lab. (The CPT and CML files supplied with this lab use this same configuration.)

Example 3: DHCP Server (IOS Router)

Answer Options - Click Tabs to Reveal

You can learn a lot and strengthen real learning of the topics by creating the configuration – even without a router or switch CLI. In fact, these labs were originally built to be used solely as a paper exercise!

To answer, just think about the lab. Refer to your primary learning material for CCNA, your notes, and create the configuration on paper or in a text editor. Then check your answer versus the answer post, which is linked at the bottom of the lab, just above the comments section.

You can also implement the lab using the Cisco Packet Tracer network simulator. With this option, you use Cisco’s free Packet Tracer simulator. You open a file that begins with the initial configuration already loaded. Then you implement your configuration and test to determine if it met the requirements of the lab.

(Use this link for more information about Cisco Packet Tracer.)

Use this workflow to do the labs in Cisco Packet Tracer:

  1. Download the .pkt file linked below.
  2. Open the .pkt file, creating a working lab with the same topology and interfaces as the lab exercise.
  3. Add your planned configuration to the lab.
  4. Test the configuration using some of the suggestions below.

Download this lab’s Packet Tracer File

You can also implement the lab using Cisco Modeling Labs – Personal (CML-P). CML-P (or simply CML) replaced Cisco Virtual Internet Routing Lab (VIRL) software in 2020, in effect serving as VIRL Version 2.

If you prefer to use CML, use a similar workflow as you would use if using Cisco Packet Tracer, as follows:

  1. Download the CML file (filetype .yaml) linked below.
  2. Import the lab’s CML file into CML and then start the lab.
  3. Compare the lab topology and interface IDs to this lab, as they may differ (more detail below).
  4. Add your planned configuration to the lab.
  5. Test the configuration using some of the suggestions below.

Download this lab’s CML file!

 

Network Device Info:

This table lists the interfaces listed in the lab exercise documentation versus those used in the sample CML file.

Device Lab Port  CML Port
SW1 G0/1 G0/0
SW1 F0/1 G0/1
SW1 F0/2 G0/2
SW1 F0/3 G0/3
R1 G0/2/0 G0/2

Lab Answers Below: Spoiler Alert

Lab Answers: Configuration (Click Tab to Reveal)

Example 1: SW1 Config

Commentary, Issues, and Verification Tips (Click Tabs to Reveal)

First, focus on the DHCP Snooping configuration independent of the DAI configuration. The first three lines of Answer Example 1 list the DHCP Snooping global configuration. The first two commands enable DHCP Snooping in VLAN 10 (both are required): ip dhcp snooping and ip dhcp snooping vlan 10. Then, the no ip dhcp information option global command reverses a default setting of ip dhcp information option, which is necessary because the default setting makes sense only when the switch acts as both a layer 3 switch and as a DHCP Relay Agent.

As for the DHCP Snooping trust settings, the two switch SW1 ports connected to the DHCP clients can use the default setting of untrusted. But those defaults matter quite a bit to DAI because of the last of the following logic switch logic steps:

  1. DHCP Client messages enter the DHCP Snooping untrusted ports.
  2. DHCP Snooping allows the messages because they follow protocol rules.
  3. DHCP Snooping adds IP/MAC address pairs to the SW1 DHCP Snooping Binding table.

As for the other switch ports, the switch must trust the ports connected to the DHCP server (ip dhcp snooping trust) so that SW1 will allow incoming DHCP messages from the DHCP server. Also, note that the switch need not trust its port G0/1 (connected to router R1) because there should be no messages from the DHCP server arriving in that port. However, were the DHCP Server somewhere in the network further to the right of router R1, then SW1 would need to trust port G0/1 for DHCP Snooping.

Now, consider the DAI configuration. To start, ask yourself: For which of switch SW1’s switch ports does it make sense to treat the port as trusted and untrusted for DAI? It turns out that you can choose which ports to trust with DAI based on two rules:

  1. Trust for DAI if trusted for DHCP Snooping.
  2. Trust for DAI if the attached device is not a DHCP Client (even if the port is untrusted for DHCP Snooping)

Applying those rules to configure this lab, you should:

  • Make switch ports F0/2 and F0/3, the ports connected to the PCs, untrusted for DAI (the default setting)
  • Make switch port F0/1, the port connected to the DHCP server, trusted for DAI (rule 1 above)
  • Make switch port G0/1, the port connected to the router, trusted for DAI (rule 2 above)

Beyond those settings, DAI requires a single global configuration command to both enable the feature and enable it in a specific VLAN: ip arp inspection vlan 10 in this case.

Known Issues in this Lab

This section of each Config Lab Answers post hopes to help with those issues by listing any known issues with Packet Tracer related to this lab. In this case, the issues are:

Number Summary Detail
1 Core feature config only CPT supports the configuration of core DAI features, including all mentioned in this lab. However, the configuration support is limited.
2 DAI does not work as intended. CPT does not filter ARP messages with DAI enabled. Therefore, when you enable DAI and follow testing steps to simulate an attack, DAI does not filter the messages.
3 Incorrect show ip dhcp snooping binding output On real gear, this command displays the DHCP Snooping Binding Table. CPT sporadically displays correct table entries.
4 Sparse show ip dhcp snooping output Real gear displays more detailed output as compared to CPT.
5 Incorrect show ip arp inspection output Once configured, real gear shows the feature with a state of “active” in a VLAN. CPT shows “inactive.”
6 CPT feature platform differences In CPT, the 2960 and 3650 switch models provide some DHCP Snooping support. However, the support levels differ, with some differences in show commands. In our testing, the feature could be configured on both models but only worked when using 2960s.

 

Why Would Cisco Packet Tracer Have Issues?

(Note: The below text is the same in every Config Lab.)

Cisco Packet Tracer (CPT) simulates Cisco routers and switches. However, CPT does not run the same software that runs in real Cisco routers and switches. Instead, developers wrote CPT to predict the output a real router or switch would display given the same topology and configuration – but without performing all the same tasks, an actual device has to do. On a positive note, CPT requires far less CPU and RAM than a lab full of devices so that you can run CPT on your computer as an app. In addition, simulators like CPT help you learn about the Cisco router/switch user interface – the Command Line Interface (CLI) – without having to own real devices.

CPT can have issues compared to real devices because CPT does not run the same software as Cisco devices. CPT does not support all commands or parameters of a command. CPT may supply output from a command that differs in some ways from what an actual device would give. Those differences can be a problem for anyone learning networking technology because you may not have experience with that technology on real gear – so you may not notice the differences. So this section lists differences and issues that we have seen when using CPT to do this lab.

Beyond comparing your answers to this lab’s Answers post, you can test in Cisco Packet Tracer (CPT) or Cisco Modeling Labs (CML). In fact, you can and should explore the lab once configured. However, note that in CPT Version 8.0, which we used when creating this lab in 2021, CPT did not implement DAI verification commands very well. If using a later CPT version in later years, you may get better results. Regardless, you can try the various show commands in the list below:

  1. Display all DHCP Snooping settings and per-interface non-default settings: show ip dhcp snooping
  2. Display the DHCP Snooping Binding Table: show ip dhcp snooping binding
  3. Display subsets of information about DAI:
    1. show ip arp inspection
    2. show ip arp inspection interfaces
    3. show ip arp inspection statistics

More Labs with Related Content!

Config Lab: DHCP Snooping 2
Config Lab: CDP/LLDP 1
Wendell Odom
By Wendell Odom October 8, 2021 17:05
Write a comment

No Comments

No Comments Yet!

Let me tell You a sad story ! There are no comments yet, but You can be first one to comment this article.

Write a comment
View comments

Write a comment

Comment; Identify w/ Social Media or Email

Subscribe

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Search

Categories