Dynamic ARP Inspection and DHCP Snooping

Cisco has integrated a solution known as Dynamic ARP Inspection and DHCP Spoofing into their switches to prevent ARP cache poisoning.

The switch keeps a record of the <IP, MAC> mapping learned from DHCP and can, therefore, detect and drop any spoofed ARP replies based on this mapping. This technique is called Dynamic ARP Inspection (DAI). DAI does not affect normal ARP traffic (normal ARP requests and replies and not faked gratuitous ARP). Only forged gratuitous ARP packets are dropped. This can be enabled using the following commands on a Cisco switch:

Switch(config)# ip arp inspection vlan (number) Switch(config)# interface (X) Switch(config-if)# ip arp inspection trust

The next step an attacker would take is to spoof DHCP requests and responses to poison the switch's mapping. The switch has a feature called DHCP Spoofing that should be enabled to protect against this.

As an additional step, administrators should also limit the VLAN membership to the minimum number of hosts as possible, so that if ARP cache poisoning is performed, the number of affected hosts is limited.

Was this article helpful?

0 0
The Ultimate Computer Repair Guide

The Ultimate Computer Repair Guide

Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.

Get My Free Ebook


Post a comment