Category:Cisco Systems -> Security
Dynamic ARP Inspection (DAI) is a defensive tool against ARP spoofing attacks. Its functioning is based upon IP DHCP snooping functionality. So it must be turned on before configuring DAI.
In our example we’ll be using the following diagram:
First turn on IP DHCP snooping on both switches:
S1(config)#ip dhcp snooping
S1(config)#ip dhcp snooping vlan 100
S1(config)#interface fastethernet0/24
S1(config-if)#ip dhcp snooping trust //Used on interfaces which look towards DHCP server
S2(config)#ip dhcp snooping
S2(config)#ip dhcp snooping vlan 100
S2(config)#interface fastethernet0/25
S2(config-if)#ip dhcp snooping trust //Used on interfaces which look towards DHCP
Turn on DAI:
S1(config)#ip arp inspection vlan 100
S2(config)#ip arp inspection vlan 100
Point out trusted connections:
S1(config)#interface gigabitethernet0/25
S1(config-if)#ip arp inspection trust
S2(config)#interface gigabitethernet0/25
S2(config-if)#ip arp inspection trust
Protect static IP address of the gateway from ARP spoofing attack:
S1(config)#arp access-list GW
S1(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0033.22a3.fa12
S1(config-arp-nacl)#exit
S1(config)#ip arp inspection filter GW vlan 100 static
S2(config)#arp access-list GW
S2(config-arp-nacl)#permit ip host 192.168.1.254 mac host 0033.22a3.fa12
S2(config-arp-nacl)#exit
S2(config)#ip arp inspection filter GW vlan 100 static
Configure errdisable functionality:
S1(config)#errdisable recovery cause arp-inspection
S1(config)#errdisable recovery interval 60
S2(config)#errdisable recovery cause arp-inspection
S2(config)#errdisable recovery interval 60
By privilege15