14 Dynamic ARP Inspection

This chapter covers

  • Address Resolution Protocol–based attacks such as ARP poisoning
  • How Dynamic ARP Inspection protects against ARP-based attacks
  • Configuring DAI on Cisco IOS switches

We first covered Address Resolution Protocol (ARP) in chapter 6 of volume 1, and it has come up several times throughout this book. ARP is an essential protocol in IP networks, serving as the bridge between Layer 2 and Layer 3 by mapping IP addresses to their corresponding MAC addresses. However, like many protocols, ARP is susceptible to exploitation that can compromise the security of a network. Dynamic ARP Inspection (DAI), the topic of this chapter, is a security feature on Cisco switches that we can use to mitigate such threats.

DAI is part of CCNA exam topic 5.7: Configure and verify Layer 2 security features. (These include DHCP Snooping, Dynamic ARP Inspection, and Port Security.) We have already covered Port Security and DHCP Snooping, so this is the final chapter addressing topic 5.7. As you read this chapter, I’m sure you’ll notice similarities between DAI and DHCP Snooping, both in functionality and Cisco IOS configuration. In fact, DAI relies on the DHCP Snooping binding table as one of its key components. Due to their similarities, this chapter will follow a structure similar to the previous one.

14.1 ARP and ARP-based attacks

14.2 Dynamic ARP Inspection

14.2.1 How DAI filters ARP messages

14.2.2 Optional DAI checks

14.2.3 Rate-limiting ARP messages

Summary