884 Snooping and Inspecting Traffic
What is Dynamic ARP Inspection?
Dynamic ARP Inspection (DAI) is a security feature that rejects invalid and
malicious ARP packets. DAI prevents a class of man-in-the-middle attacks
where an unfriendly station intercepts traffic for other stations by poisoning
the ARP caches of its unsuspecting neighbors. The malicious attacker sends
ARP requests or responses mapping another station’s IP address to its own
MAC address.
When DAI is enabled, the switch drops ARP packets whose sender MAC
address and sender IP address do not match an entry in the DHCP snooping
bindings database. You can optionally configure additional ARP packet
validation.
When DAI is enabled on a VLAN, DAI is enabled on the interfaces (physical
ports or LAGs) that are members of that VLAN. Individual interfaces are
configured as trusted or untrusted. The trust configuration for DAI is
independent of the trust configuration for DHCP snooping.
Optional DAI Features
If the network administrator has configured the option, DAI verifies that the
sender MAC address equals the source MAC address in the Ethernet header.
There is a configurable option to verify that the target MAC address equals
the destination MAC address in the Ethernet header. This check applies only
to ARP responses, since the target MAC address is unspecified in ARP
requests. You can also enable IP address checking. When this option is
enabled, DAI drops ARP packets with an invalid IP address. The following IP
addresses are considered invalid:
•0.0.0.0
• 255.255.255.255
• all IP multicast addresses
• all class E addresses (240.0.0.0/4)
• loopback addresses (in the range 127.0.0.0/8)
DAI can also be configured to rate-limit ARP requests on untrusted
interfaces. If the configured rate is exceeded, DAI diagnostically disables the
port on which the rate limit was exceeded. Use the no shutdown command to
To Next Page
Loading...
Need help?
General
