A recent example of a Layer 2 attack happening in the real world was where the popular hacking tool website Metasploit was taken down, the attacker who had a server in the same subnet as the Metasploit web server would send ARP messages saying that the MAC of the metasploit web server was actually on the attackers server. The actual MetaSploit webserver was up and running fine but any user visiting the website would see the attackers “victory” message instead of the actual Metasploit website. This attacked was not resolved but Dynamic Arp Inspection but its a cool example of what it can prevent.

There are many other attacks which abuse ARP messages and they commonly result in DOS or man in the middle attacks. Dynamic ARP Inspection (DAI) is a great method of preventing ARP based attacks.

If DAI is deployed on a switch it will examine ARP messages on every untrusted port and discard inappropriate ones, it does not examine ARPs on trusted ports. End stations should be configured as untrusted and connections to other switches & network devices should always be trusted, otherwise possibly valid ARP messages could be discarded.

The following are steps which DAI will decide whether to discard a packet on an untrusted port. Only step 1 is used by default steps 2 to 4 require extra configuration.

1 – If an ARP message states an IP address which has not been assigned via DHCP to that port the ARP is dropped.

2 – The ARP is checked against a staic list of IP/MACs and if it doesnt match the ARP is dropped

3 – An ARP reply should have the source MAC and the MAC in the message the same, if they are different the ARP is dropped. Also the destination MAC and MAC target are compared, if they are different the ARP is dropped

4 – Unusual IP addresses can be also filtered such as the subnet addresses, broadcast addresses and multicast addresses.

Configuration

DAI is enabled per VLAN with the following command;
ip arp inspection vlan vlan-range

All ports default to become trusted ports so to start the inspection of ARPs ports must be configured as untrusted with the interface command
no ip arp inspection trust

Option 2 in the list above where static IP/MAC lists can be checked with the following command
ip arp inspection filter arp-acl-name vlan vlan-range [static]

Steps 3 & 4 in the list above are not checked by default but they can be with the command
ip arp inspection validate {[src-mac] [dst-mac] [ip]}

The maximum rate of ARPs can also be limited to prevent DoS attacks with the command
ip arp inspection limit {rate pps [burst interval seconds] | none}

The command no ip proxy-arp was one of those things which I saw in IOS configs and wasn’t to sure what proxy arp is used for or why it exists. Proxy ARP is where a router will respond on behalf of another device, it was used heavily in networks before the days of DHCP & default gateways where a host would ARP for an address that wasn’t on its subnet (modern networks just send the packets to the default gateway instead of arping for the address), the router on the local network would then act as a “proxy” and respond on behalf of the device outside of the subnet.

Proxy ARP isn’t used if hosts are set with default gateways or have routing intelligence, setting a default gateway instead of using proxy ARP is a much better option. Using Proxy ARP instead of a default gateway results in higher ARP traffic & the ARP tables of the hosts get very large as they maintain an IP/MAC binding for every single address the communicate with.

A pop quiz fact: I haven’t been able to verify this from another source but somebody at work told me that IBM helped created DHCP as they would assign workers/visitors with static IP addresses and as people moved around addresses would get lost, eventually they lost 750,000 addresses and needed to create a solution which stopped this from worsening. This is hear say and I cant vouch for its authenticity but its a decent story to talk about the need for DHCP.