Interface Trust State, Security Coverage And Network Configuration - Cisco 4500M Software Manual

Chapter 34 Understanding and Configuring Dynamic ARP Inspection

Interface Trust state, Security Coverage and Network Configuration

DAI associates a trust state with each interface on the system. Packets arriving on trusted interfaces
bypass all DAI validation checks, while those arriving on untrusted interfaces go through the DAI
validation process. In a typical network configuration for DAI, all ports connected to host ports are
configured as untrusted, while all ports connected to switches are configured as trusted. With this
configuration, all ARP packets entering the network from a given switch will have passed the security
check; it is unnecessary to perform a validation at any other place in the VLAN / network:
Figure 34-2 Validation of ARP Packets on a DAI-enabled VLAN
DHCP server
Host H1
Use the trust state configuration carefully.
Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity. If
we assume that both S1 and S2 (in Figure 34-2) run DAI on the VLAN that holds H1 and H2, and if H1
and H2 were to acquire their IP addresses from S1, then only S2 binds the IP to MAC address of H1.
Therefore, if the interface between S1 and S2 is untrusted, the ARP packets from H1 get dropped on S2.
This condition would result in a loss of connectivity between H1 and H2.
Configuring interfaces to be trusted when they are actually untrusted leaves a security hole in the
network. If S1 were not running DAI, then H1 can easily poison the ARP of S2 (and H2, if the inter-
switch link is configured as trusted). This condition can occur even though S2 is running DAI.
DAI ensures that hosts (on untrusted interfaces) connected to a switch running DAI do not poison the
ARP caches of other hosts in the network. It does not, however, ensure that hosts from other portions of
the network do not poison the caches of the hosts connected to it.
To handle cases in which some switches in a VLAN run DAI and other switches do not, the interfaces
connecting such switches should be configured as untrusted. To validate the bindings of packets from
non-DAI switches, however, the switch running DAI should be configured with ARP ACLs. When it is
not feasible to determine such bindings, switches running DAI should be isolated from non-DAI
switches at Layer 3.
Depending on the setup of DHCP server and the network, it may not be possible to perform validation
Note
of a given ARP packet on all switches in the VLAN.
OL-6696-01
Switch S1
Fa6/3 Fa3/3
Fa6/4
Switch S2
Fa3/4
Host H2
Software Configuration Guide—Release 12.2(25)EW
Overview of Dynamic ARP Inspection
34-3