Dynamic ARP Inspection
[View full size image]
The dynamic ARP Inspection (DAI) feature safeguards the network from many of the commonly known man-inthe-
middle (MITM) type attacks. Dynamic ARP Inspection ensures that only valid ARP requests and responses
are forwarded.
Figure 4-5b illustrates the DAI feature in action and shows how the intruder is blocked on the untrusted port
when it is trying to poison ARP entries.
Figure 4-5b. DAI-in Action
DAI in a DHCP Environment
As mentioned earlier, DAI relies on the entries in the DHCP snooping binding database to verify IP-to-MAC
address bindings. Configure each secure interface as trusted using the ip arp inspection trust interface
configuration command. The trusted interfaces bypass the ARP inspection validation checks, and all other
packets are subject to inspection when they arrive on untrusted interfaces.
Enable DAI on a per-VLAN basis by using the ip arp inspection vlan [vlan-range] command from the global
configuration command.
Example 4-11 shows how to configure an interface as trusted and how to enable DAI for VLANs 5 through 10.
Example 4-11. DAI in a DHCP Environment Configuration Example
Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip arp inspection trust
Switch(config)# ip arp inspection vlan 5-10
DAI in a Non-DHCP Environment
In non-DHCP environments, because there is no DHCP snooping binding database, the DAI can validate ARP
packets against a user-defined ARP ACL to map hosts with a statically configured IP address to their MAC
address.
Pages:
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195