- COURSES
- SPECIALS
- BLOG
- MEMBERS
- SHOP
- ABOUT
- ENROLL HERE
Dynamic ARP Inspection (DAI) is the security mechanism that prevents malicious ARP attacks by rejecting unknown ARP Packets. ARP attacks can be done as a Man-in-the-Middle Attack by an attacker. By capturing the traffic between two hosts, attacker poisons the ARP Cache and sends his/her own address as requested ip address. Dynamic ARP Inspection validates IP-MAC matchings.
Dynamic ARP Inspection (DAI) uses DHCP Snooping binding database that is created by DHCP Snooping by listening DHCP Messages between the nodes. According to the DHCP Snpping binding database, DAI decides. If there is a record about sender’s Ip and MAC address then it accepts the ARP Packet. If not, ARP packet is rejected. Instead of using DHCP Snooping, Static IP-MAC mappings can be also used.
Dynamic ARP Inspection (DAI) uses Trust states for interfaces. There are two trust states for interfaces, these are:
If an interface set as Trusted, DAI do not work fort his interface. But if it is an Untrusted, DAI precedures work and the MAC-IP matchings are checked.
In a network all the interfaces connected to the hosts are configured as Untrusted while the interfaces connected to the switches are configured as Trusted. By doing this, ARP Packets are checked if it is coming from a host device.
By the way, Dynamic ARP Inspection is done through VLANs. One or one more VLANs can be used fort his configuration.
As you can see above, if DAI is enabled, IP-MAC Binding Table is cheched and then if the incoming MAC address is in binding table, then this ARP Packet is accepted. If not, then the packet is discarded. Above, Host B and Host C is sending ARP packets including different MAC addresses maliciously. So, this is detected by Dynamic ARP Inspection Mechanism.
To configure Dynamic ARP Inspection on Cisco switches, we will use the below simple switch topology:
Here, we will configure DAI for VLAN 2 only. And hosts in VLAN 2 will be Untrusted. So, ARP packets coming from these interfaces will be checked. The other interfaces will configured as trusted interfaces.
So, let’s start to configure DAI.
Enabling Dynamic ARP Inspection
To enable ARP Inspection on VLAN 2, we will use “ip arp inspection vlan 2” command globally.
Switch A# configure terminal
Switch A(config)# ip arp inspection vlan 2
Setting Trusted interfaces
To set any interfaces as trusted we will use “ip arp inspection trust” command under that interface. On Swithc A, we will set FastEthernet 0/1 and FastEthernet 0/3 as Trusted. The remaining orts will be Untrusted by default.
Switch A(config)# interface fastethernet 0/1
Switch A(config-if)# ip arp inspection trust
Switch A(config)# interface fastethernet 0/3
Switch A(config-if)# ip arp inspection trust
Here, we have set these two interfaces as Trusted. The other reminings interface Fastethernet 0/2 remains as Untrusted. Because by default all interfaces are Untrusted.
Leave a Reply