Using Dynamic ARP Inspection

The DHCP snooping feature dynamically builds a DHCP binding table, which contains the MAC addresses associated with specific IP addresses. Additionally, this feature supports static MAC address to IP address mappings, which might be appropriate for network devices, such as routers. This DHCP binding table can be used by the Dynamic ARP Inspection (DAI) feature to help prevent Address Resolution Protocol (ARP) spoofing attacks.

Recall the purpose of ARP requests. When a network device needs to determine the MAC address that corresponds to an IP address, the device can send an ARP request. The target device replies to the requesting device with an ARP reply. The ARP reply contains the requested MAC address.

Attackers can attempt to launch an attack by sending gratuitous ARP (GARP) replies. These GARP messages can tell network devices that the attacker's MAC address corresponds to specific IP addresses. For example, the attacker might be able to convince a PC that the attacker's MAC address is the MAC address of the PC's default gateway. As a result, the PC starts sending traffic to the attacker. The attacker captures the traffic and then forwards the traffic to the appropriate default gateway.

To illustrate, consider Figure 6-6. PC1 is configured with a default gateway of However, the attacker sends GARP messages to PC1, telling PC1 that the MAC address corresponding to is BBBB.BBBB.BBBB, which is the attacker's MAC address. Similarly, the attacker sends GARP messages to the default gateway, claiming that the MAC address corresponding to PCl's IP address of is BBBB.BBBB.BBBB. This ARP cache poisoning causes PC1 and Routerl to exchange traffic via the attacker's PC. Therefore, this type of ARP spoofing attack is considered to be a man-in-the-middle attack.

Figure 6-6 ARP Spoofing

Figure 6-6 ARP Spoofing

Key Topic

Networks can be protected from ARP spoofing attacks using the DAI feature. DAI works similarly to DHCP snooping by using trusted and untrusted ports. ARP replies are allowed into the switch on trusted ports. However, if an ARP reply enters the switch on an untrusted port, the contents of the ARP reply are compared to the DHCP binding table to verify its accuracy. If the ARP reply is inconsistent with the DHCP binding table, the ARP reply is dropped, and the port is disabled.

The first step in configuring DAI is to enable DAI for one or more VLANs. For example, to enable DAI for VLAN 100, enter the following global configuration mode command:

Cat3550(config)# ip arp inspection vlan 100

By default, the DAI feature considers all switch ports to be untrusted ports. Therefore, trusted ports must be explicitly configured. These trusted ports are the ports on which ARP replies are expected. For example, to configure port Gigabit 0/6 to be a DAI trusted port, use the following syntax:

Cat3550(config)# interface gigabitethernet 0/6

Cat3550(config-if)# ip arp inspection trust

Was this article helpful?

0 0
SEO Skills And Mastery

SEO Skills And Mastery

Get More Traffic With SEO. SEO is short for search engine optimization. This is the very complex yet very visible way of accessing websites or web pages within the natural or unpaid realm of search results. Simply put in its literal sense, is that the more visits or hits as it is often referred to the more visible the said site would be when a search is applied.

Get My Free Ebook

Post a comment