Cisco Dynamic ARP Inspection設定方式...

為了防治類似NetCut這種ARP欺騙攻擊或是Man-in-the-Middle攻擊，Cisco Switch在2960以後的Layer 2/3以上switch提供Dynamic ARP Inspection(簡稱DAI)功能，其原理就是將IP-MAC-Port的綁定先寫在Switch內，當switch port下接終端設備發出的網路資訊有違背這一個綁定表時，該port就會被shutdown，syslog也會吐出相關訊息。而這一個綁定表可以透過DHCP option 82的方式，由switch利用DHCP snooping探測DHCP相關資訊後的結果節錄這一張表，可透過tftp將這一張表存在tftp伺服器中，或是由網管人員透過設定的方式將這一張表建立起來，相關設定細節如下:

1.設定DHCP Snooping及DAI

ip dhcp snooping vlan 1-3

ip dhcp snooping database tftp://172.16.7.250/dai.list

ip dhcp snooping

ip arp inspection vlan 2-3

ip arp inspection validate src-mac dst-mac ip

ip arp inspection filter allow_arp vlan  2-3

2.設定Interface

例：g1/0/24 接 DHCP Server ，設定為 trust，表示不在這一個介面上做DAI

interface GigabitEthernet1/0/24

 ip arp inspection trust

 ip arp inspection limit rate 100

 ip dhcp snooping limit rate 100

 ip dhcp snooping trust

例：其它 port 串接不支援 DAI Switch 或 Client ，預設開啟DAI時所有的port都是untrust

interface GigabitEthernet1/0/1

 ip arp inspection limit rate 100

 ip dhcp snooping limit rate 100

3.手動建立綁定表

手動建立 ARP Inspection list

   ip source binding 9876.ed6f .0012 vlan 1 172.16.7.111 interface g1/0/10

4.建立白名單以排除類似印表機、Server等固定設備

arp access-list allow_arp

  permit ip host 172.16.7.11 mac host 0123.5678.de69

  permit ip host 172.16.7.132mac host 0345.5e6f.0911

5.設定一些意外狀況

   DAI可能會因為特殊情況造成port err-disabled，所以設定將這個情況排除:

   errdisable recovery cause arp-inspection

   errdisable recovery interval 45

6.察看結果之相關指令

   查看指令：

   show ip dhcp snooping binding

   sh ip arp inspection interfaces

   sh ip arp inspection statistics

   sh ip arp inspection vlan 1 -3

7.測試結果

    例：netcut 試著去欺騙192.168.1.120 及 192.168.1.130，因為 Cisco DAI，所以失敗 !!!

    00:58:48: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/21, vlan 1.

                  ([7617.2d 2a .3969/192.168.1.120/0000.0000.0000/192.168.1.130/00:58:47 UTC Mon Mar 1 1993])

    00:58:48: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/21, vlan 1.

                  ([7617.2d 2a .3969/192.168.1.130/0000.0000.0000/192.168.1.120/00:58:47 UTC Mon Mar 1 1993])

    00:58:50: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/21, vlan 1.

   client 啟動 netcut 的同時，client switch port 即被 err-disable

    SW2(config-if)#

    01:14:54: %SW_DAI-4-PACKET_RATE_EXCEEDED: 16 packets received in 8 milliseconds on Gi1/0/18.

    01:14:54: %PM-4-ERR_DISABLE: arp-inspection error detected on Gi1/0/18, putting Gi1/0/18 in err-disable state

    01:14:55: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/18, changed state to down

    01:14:56: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/18, changed state to down