Preventing ARP spoofing attacks with Dynamic ARP inspection (DAI)

Dynamic ARP Inspection (DAI) is a feature which can be used to prevent ARP spoofing attacks. Dynamic ARP Inspection (DAI) can be enabled on switches. When enabled, Dynamic ARP Inspection (DAI) verifies IPv4 address to MAC address bindings. If a mismatch happened on an untrusted port, Dynamic ARP Inspection (DAI) will discard spoofed ARP packets. DAI uses the DHCP snooping binding database to validate bindings. Dynamic ARP Inspection (DAI) only inspects ARP packets from untrusted ports.

Dynamic ARP Inspection (DAI) can be enabled globally per VLAN using the command "ip arp inspection vlan <vlan-id>" By default, all ports are untrusted. To to configure a port as trusted, use the command "ip arp inspection trust", at the interface level.

How to enable Dynamic ARP Inspection (DAI) on a specific VLAN

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#ip arp inspection vlan 500
OmniSecuSW1(config)#exit
OmniSecuSW1#

How to configure a switch port as trusted

OmniSecuSW1#configure terminal
OmniSecuSW1(config)#interface gigabitethernet 0/0
OmniSecuSW1(config-if)#ip arp inspection trust
OmniSecuSW1(config-if)#exit
OmniSecuSW1(config)#exit
OmniSecuSW1#

<< ARP Spoofing attack

IP spoofing attacks and IP Source Guard (IPSG) >>

Like us on

Share on

Search

Preventing ARP spoofing attacks with Dynamic ARP inspection (DAI)

How to enable Dynamic ARP Inspection (DAI) on a specific VLAN

How to configure a switch port as trusted

Like us on

Share on