Preventing ARP spoofing attacks with Dynamic ARP inspection (DAI)
Dynamic ARP Inspection (DAI) is a feature which can be used to prevent ARP spoofing attacks. Dynamic ARP Inspection (DAI) can be enabled on switches. When enabled, Dynamic ARP Inspection (DAI) verifies IPv4 address to MAC address bindings. If a mismatch happened on an untrusted port, Dynamic ARP Inspection (DAI) will discard spoofed ARP packets. DAI uses the DHCP snooping binding database to validate bindings. Dynamic ARP Inspection (DAI) only inspects ARP packets from untrusted ports.
Dynamic ARP Inspection (DAI) can be enabled globally per VLAN using the command "ip arp inspection vlan <vlan-id>" By default, all ports are untrusted. To to configure a port as trusted, use the command "ip arp inspection trust", at the interface level.
How to enable Dynamic ARP Inspection (DAI) on a specific VLAN
OmniSecuSW1#configure terminal OmniSecuSW1(config)#ip arp inspection vlan 500 OmniSecuSW1(config)#exit OmniSecuSW1#
How to configure a switch port as trusted
OmniSecuSW1#configure terminal OmniSecuSW1(config)#interface gigabitethernet 0/0 OmniSecuSW1(config-if)#ip arp inspection trust OmniSecuSW1(config-if)#exit OmniSecuSW1(config)#exit OmniSecuSW1#