1 00:00:07,230 --> 00:00:09,830 - [Narrator 1] ARP provides IP communication 2 00:00:09,830 --> 00:00:12,160 within a layer two broadcast domain 3 00:00:12,160 --> 00:00:15,233 by mapping an IP address to Mac address. 4 00:00:16,180 --> 00:00:20,750 For example, host B wants to send information to host A 5 00:00:20,750 --> 00:00:22,540 but does not have the Mac address 6 00:00:22,540 --> 00:00:26,773 of host A in its address, resolution protocol cache. 7 00:00:27,760 --> 00:00:29,930 Host B generates a broadcast message 8 00:00:29,930 --> 00:00:33,090 for all hosts within the broadcast domain 9 00:00:33,090 --> 00:00:35,160 to obtain the Mac address associated 10 00:00:35,160 --> 00:00:37,710 with the IP address of host A. 11 00:00:37,710 --> 00:00:39,850 All hosts within the broadcast domain 12 00:00:39,850 --> 00:00:42,960 receive the ARP request and host A responds 13 00:00:42,960 --> 00:00:45,350 with its Mac address. 14 00:00:45,350 --> 00:00:49,620 ARP spoofing attacks and our cache poisoning can occur 15 00:00:49,620 --> 00:00:54,620 because ARP allows a gratuitous reply from a host 16 00:00:54,870 --> 00:00:58,290 even if an ARP request was not received. 17 00:00:58,290 --> 00:01:01,010 After the attack all traffic from the device 18 00:01:01,010 --> 00:01:04,196 under attack flows through the attacker's computer 19 00:01:04,196 --> 00:01:07,383 and then to the router switch or host. 20 00:01:08,280 --> 00:01:11,660 An ARP spoofing attack can target host switches 21 00:01:11,660 --> 00:01:14,928 and routers connected to your layer to network 22 00:01:14,928 --> 00:01:19,240 by poisoning the ARP caches of systems connected 23 00:01:19,240 --> 00:01:22,470 to the subnet and by intercepting traffic intended 24 00:01:22,470 --> 00:01:24,423 for other hosts on the subnet. 25 00:01:25,877 --> 00:01:29,093 The diagram here shows an example of ARP cache poisoning. 26 00:01:30,040 --> 00:01:34,330 Host A, B and C are connected to the switch on interfaces 27 00:01:34,330 --> 00:01:38,520 A, B and C, all of which are on the same subnet. 28 00:01:38,520 --> 00:01:41,910 Their IP and Mac addresses are shown in parenthesis. 29 00:01:41,910 --> 00:01:46,910 For example, host A uses IP address IA and Mac address MA. 30 00:01:50,250 --> 00:01:53,720 When host A needs to communicate to host B 31 00:01:53,720 --> 00:01:58,167 at the IP layer it broadcasts an ARP request 32 00:01:59,100 --> 00:02:04,100 for the Mac address associated with IP address IB. 33 00:02:05,700 --> 00:02:10,690 When the switch and host B receive the ARP request 34 00:02:10,690 --> 00:02:14,840 they populate their ARP caches with an ARP binding 35 00:02:14,840 --> 00:02:19,840 for a host with the IP address IA and a Mac address MA. 36 00:02:22,050 --> 00:02:25,760 For example, IP address IA is bound 37 00:02:25,760 --> 00:02:28,950 to Mac address MA. 38 00:02:28,950 --> 00:02:31,110 When host B responds the switch 39 00:02:31,110 --> 00:02:35,400 and host A populate their ARP caches with the binding 40 00:02:35,400 --> 00:02:38,940 for host with the IP address IB 41 00:02:38,940 --> 00:02:42,480 and the Mac address MB, host C can poison the 42 00:02:42,480 --> 00:02:46,460 ARP caches of the switch for host A and host B 43 00:02:46,460 --> 00:02:51,460 by broadcasting forged our responses with bindings 44 00:02:51,480 --> 00:02:56,030 for a host, with an IP address of IA or IB 45 00:02:56,030 --> 00:02:58,380 and a Mac address of MC. 46 00:02:58,380 --> 00:03:03,380 Host with poison ARP caches used the Mac addresses MC 47 00:03:04,750 --> 00:03:07,230 as the destination Mac address 48 00:03:07,230 --> 00:03:10,460 for traffic intended for IA or IB. 49 00:03:10,460 --> 00:03:13,752 This means that host C intercepts that traffic 50 00:03:13,752 --> 00:03:18,752 because host C knows the true Mac addresses associated 51 00:03:19,010 --> 00:03:20,640 with IA and IB. 52 00:03:20,640 --> 00:03:22,583 It can forward the intercepted traffic 53 00:03:22,583 --> 00:03:26,660 to those hosts by using the correct Mac address 54 00:03:26,660 --> 00:03:28,560 and the destination. 55 00:03:28,560 --> 00:03:30,560 Host C has inserted itself 56 00:03:30,560 --> 00:03:34,380 into the traffic stream from host A to host B 57 00:03:34,380 --> 00:03:35,830 which is the topology 58 00:03:35,830 --> 00:03:38,690 of the classic man in the middle attack. 59 00:03:38,690 --> 00:03:43,600 DAI is a security feature that validates ARP packets 60 00:03:43,600 --> 00:03:48,600 in a network, DAI intercepts logs and discards ARP packets 61 00:03:49,310 --> 00:03:52,900 with invalid IP to Mac address bindings. 62 00:03:52,900 --> 00:03:54,590 This capability protects the network 63 00:03:54,590 --> 00:03:56,950 from some man in the middle attacks. 64 00:03:56,950 --> 00:04:01,950 DAI determines the validity of an ARP packet based 65 00:04:02,440 --> 00:04:06,290 on valid IP to Mac address bindings stored 66 00:04:06,290 --> 00:04:08,430 in a trusted database. 67 00:04:08,430 --> 00:04:12,020 The DHCP snooping binding database 68 00:04:12,020 --> 00:04:14,910 as described in the previous lesson 69 00:04:14,910 --> 00:04:18,500 this database is built by DHCP snooping 70 00:04:18,500 --> 00:04:23,500 if DHCP snooping is enabled on the VLANs and on the switch. 71 00:04:23,731 --> 00:04:27,860 If the ARP packet is received on a trusted interface 72 00:04:27,860 --> 00:04:30,983 the switch forwards the packet without any checks. 73 00:04:32,507 --> 00:04:33,340 On un-trusted interfaces, 74 00:04:33,340 --> 00:04:35,763 the switch forwards the packet only if it is valid. 75 00:04:38,009 --> 00:04:39,800 You can configure DAI to drop ARP packets 76 00:04:39,800 --> 00:04:43,120 when the IP addresses in the packets are invalid 77 00:04:43,120 --> 00:04:45,470 or when the Mac addresses in the body 78 00:04:45,470 --> 00:04:49,940 of the ARP package do not match the addresses specified 79 00:04:49,940 --> 00:04:51,980 in the ethernet header. 80 00:04:51,980 --> 00:04:54,983 This example provides the configuration details 81 00:04:54,983 --> 00:04:58,420 necessary to implement DAI 82 00:04:58,420 --> 00:05:02,393 to mitigate the effects of ARP spoofing attacks. 83 00:05:05,090 --> 00:05:05,923 - [Narrator 2] In this demo, 84 00:05:05,923 --> 00:05:08,910 we are enabling dynamic ARP inspection 85 00:05:08,910 --> 00:05:13,170 on VLAN 10, the first command IP ARP inspection 86 00:05:14,355 --> 00:05:17,303 VLAN 10 enables it on that VLAN interface. 87 00:05:18,144 --> 00:05:22,913 From there, we can do the show IP ARP inspection, VLAN 10. 88 00:05:26,203 --> 00:05:28,690 This will show us all of the information 89 00:05:28,690 --> 00:05:30,963 and verify our configuration. 90 00:05:33,480 --> 00:05:37,483 Next we'll move on to enable it on an interface. 91 00:05:38,540 --> 00:05:42,950 Here we enable it on gigabit 1/1/1 92 00:05:42,950 --> 00:05:46,410 and then we run the IP ARP inspection trust 93 00:05:46,410 --> 00:05:50,593 to add it to the trusted DAI interface list. 94 00:05:52,980 --> 00:05:55,640 From there, we can simply run show IP ARP 95 00:05:55,640 --> 00:06:00,030 inspection interfaces to see all 96 00:06:00,030 --> 00:06:01,763 the interfaces with it enabled.