Mitigating Spoof Attacks
What is Dynamic ARP Inspection?

To prevent ARP spoofing or "poisoning", a switch must ensure that only valid ARP requests and responses are relayed. Dynamic ARP Inspection (DAI) prevents these attacks by intercepting and validating all ARP requests and responses. Each intercepted ARP reply is verified for valid MAC address to IP address bindings before it is forwarded to a PC to update the ARP cache. ARP replies coming from invalid devices are dropped.

DAI validates ARP replies coming from statically configured IP addresses or for a set of MAC addresses defined as in a VLAN access control lists. DAI can also determine the validity of an ARP reply based on bindings stored in a DHCP snooping database. To ensure that only valid ARP requests and responses are relayed, DAI takes the following actions:

  • Forwards ARP packets received on a trusted interface without any checks
  • Intercepts all ARP packets on untrusted ports
  • Verifies that each intercepted packet has a valid IP-to-MAC address binding before forwarding packets that can update the local ARP cache.
  • Drops and/or logs ARP packets with invalid IP-to-MAC address bindings.

Configure all Access switch ports as untrusted and all switch ports connected to other switches as trusted. In this case, all ARP packets entering the network would be from an upstream Distribution or Core switch, bypassing the security check and requiring no further validation.


Web Links