Dynamic ARP Inspection
Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP
packets. The feature prevents a class of man-in-the-middle attacks, where an unfriendly
station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting
neighbors. The miscreant sends ARP requests or responses mapping another station's IP
address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and
builds a bindings database of valid tuples (MAC address, IP address, VLAN interface).
When DAI is enabled, the switch drops ARP packet if the sender MAC address and sender IP
address do not match an entry in the DHCP snooping bindings database. However, it can be
overcome through static mappings. Static mappings are useful when hosts configure static IP
addresses, DHCP snooping cannot be run, or other switches in the network do not run
dynamic ARP inspection. A static mapping associates an IP address to a MAC address on a
VLAN.
Interface
1/0/1
DHCP server
IP address: 192.168.10.1
Figure 36. Dynamic ARP inspection
Managed Switches
Static client
IP address: 192.168.10.1
HW address: 00:11:85:EE:54:E9
Interface
1/0/2
Switch
Security Management
332
Interface
1/0/3
DHCP client
IP address: 192.168.10.86 (obtained)
HW address: 00:16:76:A7:88:CC