Skip to main content

Layer 2 Security Feature : Dynamic ARP inspection

Image
By

 We all know about how the ARP works and the importance of it to send the traffic to the endhost, it translates the IP to the mac address. Before we know about the dynamic arp inspection we would need to understand about the ARP poisoining, it is an man in the middle attack works by poisoining the ARP cache database.  IP to mac address tables are stored in the arp cache database in the switch or router.


Hacker can poison the arp database by rewriting his own mac address for the default gateway IP so all the users traffic will redirect to the hacker laptop which causes the successful man in the middle attack.

Dynamic ARP inspection works by inspecting the ARP cache database with the help of dhcp snooping database. Yesterday I explained the dhcp snooping so you can look into the article to  know how it works. It records the assigned IP with the mac addresses in the dhcp snooping table so the arp inspection would use the dhcp snooping database to find the correct IP to MAC address mappings. In some situations the organization may not enable dhcp snooping so in that case we need to write static arp entries with the help of arp access list. Given below shows the configuration of DIA in Cisco IOS.


DAI in a DHCP Environment Configuration Example

Switch(config)# interface GigabitEthernet1/0/1
Switch(config-if)# ip arp inspection trust
Switch(config)# ip arp inspection vlan 5-10

By default all the user ports are assigned with the implicit untrust , it should be enabled as a trust port as shown above to enable DIA and the inspection have to enable on the respective vlans.
DAI in a Non-DHCP Environment Configuration Example
Switch(config)# arp access-list arpacl
Switch(config-arp-acl)# permit ip host 10.1.1.11 mac host 0011.0011.0011
Switch(config-arp-acl)# exit
Switch(config)# ip arp inspection filter arpacl vlan 5
Switch(config)# interface GigabitEthernet1/0/2
Switch(config-if)# no ip arp inspection trust
Use the show ip arp inspection vlan [vlan# or range] command to verify the configuration.
Labels:

Popular posts from this blog

UPGRADING EOS in the ARISTA Switches

By
UPGRADING EOS in the ARISTA Switches: EOS is the Firmware for Arista Switches whereas IOS for Cisco. This blog post shows the detailed procedures to follow and to upgrade the EOS in the Arista Switches. This Post was supports for any platform or the Version you are going to upgrade in the Arista Switches. This Post was divided into three parts : Pre-Upgrade Process Upgrade Process Post-Upgrade Process PRE-UPGRADING-PROCESS: 1       1)        Check the Upgrade Path tool by clicking the below link. https://www.arista.com/en/support/mlag-portal/mlaglist and confirm it is in mlag issu compatible 2)       Check if the  STP agent is restartable by giving the command switch-1# show spanning-tree bridge detail | grep agent Stp agent restartable                      :      ...
Read more

OSI Model in Telugu

By
Read more

How Virtual Port Channel Avoid Duplicate Frames

By
How Virtual Port Channel Avoid Duplicate Frames There is one critical rule with vPC.  If a member port receives a frame, it is forwarded across the peer-link. When the peer switch receives it, it will not forward the frame out a vPC member port . Why does this happen? Have a look at the diagram below. Frames received on a member port, then forwarded across the peer-link, will not be forwarded out another member port There are two servers connected by vPC member ports. Server-1 sends a frame to Server-2. The traffic flows like this: 1.        The frame travels up the link from Server-1 to Peer-1 2.        Peer-1 forwards the frame down the link to Server-2 3.        Peer-1 also forwards the frame across the peer-link to Peer-2 4.        Peer-2 sees that the frame came from a vPC member port, and refuses to forward it to Ser...
Read more