Configuring Dynamic ARP Inspection
This chapter describes how to configure dynamic Address Resolution Protocol (ARP) inspection (DAI) on a
Cisco NX-OS device.
This chapter includes the following sections:
•
•
•
•
•
•
•
•
•
•
About DAI
ARP
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC
address. For example, host B wants to send information to host A but does not have the MAC address of
host A in its ARP cache. In ARP terms, host B is the sender and host A is the target.
To get the MAC address of host A, host B generates a broadcast message for all hosts within the broadcast
domain to obtain the MAC address associated with the IP address of host A. All hosts within the broadcast
domain receive the ARP request, and host A responds with its MAC address.
ARP Spoofing Attacks
ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a reply from a host even if
an ARP request was not received. After the attack, all traffic from the device under attack flows through the
attacker's computer and then to the router, switch, or host.
About DAI, on page 389
Licensing Requirements for DAI, on page 392
Prerequisites for DAI, on page 392
Guidelines and Limitations for DAI, on page 393
Default Settings for DAI, on page 393
Configuring DAI, on page 394
Verifying the DAI Configuration, on page 399
Monitoring and Clearing DAI Statistics, on page 399
Configuration Examples for DAI, on page 400
Additional References for DAI, on page 404
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
16
C H A P T E R
389