Dai And Arp Spoofing Attacks - Cisco Nexus 9000 Series Configuration Manual
Nx-os security configuration guide, release 9.x
Hide thumbs
Also See for Nexus 9000 Series:
- Configuration manual (276 pages) ,
- Troubleshooting manual (126 pages) ,
- Quick start configuration manual (6 pages)
Table of Contents
Advertisement
DAI and ARP Spoofing Attacks
An ARP spoofing attack can affect hosts, switches, and routers connected to your Layer 2 network by sending
false information to the ARP caches of the devices connected to the subnet. Sending false information to an
ARP cache is known as ARP cache poisoning. Spoof attacks can also intercept traffic intended for other hosts
on the subnet.
Figure 15: ARP Cache Poisoning
This figure shows an example of ARP cache poisoning.
Hosts A, B, and C are connected to the device on interfaces A, B, and C, which are on the same subnet. Their
IP and MAC addresses are shown in parentheses; for example, host A uses IP address IA and MAC address
MA. When host A needs to send IP data to host B, it broadcasts an ARP request for the MAC address associated
with IP address IB. When the device and host B receive the ARP request, they populate their ARP caches
with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA
is bound to MAC address MA. When host B responds, the device and host A populate their ARP caches with
a binding for a host with the IP address IB and the MAC address MB.
Host C can poison the ARP caches of the device, host A, and host B by broadcasting two forged ARP responses
with bindings: one for a host with an IP address of IA and a MAC address of MC and another for a host with
an IP address of IB and a MAC address of MC. Host B and the device then use the MAC address MC as the
destination MAC address for traffic intended for IA, which means that host C intercepts that traffic. Likewise,
host A and the device use the MAC address MC as the destination MAC address for traffic intended for IB.
Because host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted
traffic to those hosts by using the correct MAC address as the destination. This topology, in which host C has
inserted itself into the traffic stream from host A to host B, is an example of a man-in-the middle attack.
DAI and ARP Spoofing Attacks
DAI ensures that only valid ARP requests and responses are relayed. When DAI is enabled and properly
configured, a Cisco Nexus device performs these activities:
• Intercepts all ARP requests and responses on untrusted ports
• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating
• Drops invalid ARP packets
DAI can determine the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a
Dynamic Host Configuration Protocol (DHCP) snooping binding database. This database can also contain
static entries that you create. If the ARP packet is received on a trusted interface, the device forwards the
packet without any checks. On untrusted interfaces, the device forwards the packet only if it is valid.
You can configure DAI to drop ARP packets when the IP addresses in the packets are invalid or when the
MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
390
the local ARP cache or before forwarding the packet to the appropriate destination
Configuring Dynamic ARP Inspection
- Quick Links:
- Radius and Tacacs+ Security Protocols
Hide quick links:
Advertisement
Table of Contents
