Skip to content
pablo@docs:~$
Portfolio

Dynamic ARP Inspection (DAI)

1.The Problem

Section titled “1.The Problem”

If your computer wants to send data to the router, it shouts an ARP Request: “Who has IP 192.168.1.1? Tell me your MAC address!” The massive security flaw in ARP is that it has zero authentication and is inherently trusting:

Anyone can reply to an ARP request, even if they don’t own that IP.

A computer will accept an ARP Reply even if it never asked for one (a Gratuitous ARP).

In an ARP Spoofing Attack, an attacker continuously spams the network with fake ARP Replies saying: “I am the Default Gateway (192.168.1.1), send all traffic to my MAC address!” All the computers on the network believe this lie, update their ARP tables, and start sending all their sensitive web traffic directly to the attacker’s laptop instead of the real router.

2.The Solution: Dynamic ARP Inspection

Section titled “2.The Solution: Dynamic ARP Inspection”

DAI fixes this vulnerability by intercepting every single ARP packet that passes through the switch and validating it before forwarding it. But how does the switch know which ARP packets are telling the truth and which are lying? It looks at the DHCP Snooping Binding Database.

How it works in action:

A computer sends an ARP Reply saying “My IP is 192.168.1.50 and my MAC is AA:AA.” DAI pauses the packet. DAI checks the Binding Database: “Did DHCP Snooping assign the IP 192.168.1.50 to MAC AA:AA on this specific port?” If it matches: The switch allows the ARP packet through. If it does NOT match: The switch instantly drops the malicious ARP packet and logs a severe security violation. The attacker’s lie never reaches the other computers.

3.Configuration

Section titled “3.Configuration”

To configure DAI, DHCP Snooping has to be already configured.

1. Enable DAI on the validating

Section titled “1. Enable DAI on the validating”
Switch# configure terminal
Switch(config)# ip arp inspection vlan 10

2.Configure the Trusted Port

Section titled “2.Configure the Trusted Port”
Switch(config)# interface GigabitEthernet0/1
Switch(config-if)# ip arp inspection trust
Switch(config-if)# exit

3.Configure ARP Rate Limiting

Section titled “3.Configure ARP Rate Limiting”
Switch(config)# interface range FastEthernet0/1 - 24
Switch(config-if-range)# ip arp inspection limit rate 15
Switch(config-if-range)# exit

3.Verification

Section titled “3.Verification”
Switch# show ip arp inspection vlan 10
Switch# show ip arp inspection statistics