To prevent ARP spoofing or "poisoning", a switch must
ensure that only valid ARP requests and responses are relayed. Dynamic ARP
Inspection (DAI) prevents these attacks by intercepting and validating all ARP
requests and responses. Each intercepted ARP reply is verified for valid MAC
address to IP address bindings before it is forwarded to a PC to update the ARP
cache. ARP replies coming from invalid devices are dropped.
DAI validates
ARP replies coming from statically configured IP addresses or for a set of MAC
addresses defined as in a VLAN access control lists. DAI can also determine the
validity of an ARP reply based on bindings stored in a DHCP snooping database.
To ensure that only valid ARP requests and responses are relayed, DAI takes the
following actions:
- Forwards ARP packets received on a trusted interface without any checks
- Intercepts all ARP packets on untrusted ports
- Verifies that each intercepted packet has a valid IP-to-MAC address binding
before forwarding packets that can update the local ARP cache.
- Drops and/or logs ARP packets with invalid IP-to-MAC address bindings.
Configure all Access switch ports as untrusted and all switch ports
connected to other switches as trusted. In this case, all ARP packets entering
the network would be from an upstream Distribution or Core switch, bypassing
the security check and requiring no further validation.