How to Configure Dynamic Arp Inspection (DAI): A Beginner's Guide
TIMESTAMPS:
0:00 Introduction
2:09 ARP Cache Poisoning Explained
3:01 Talking About the Diagram
3:40 Configuring Dynamic Arp Inspection
5:38 Verifying Dynamic Arp Inspection
6:52 Conclusion
DAI (Dynamic ARP Inspection)
● Allows a network administrator to intercept, log, and discard ARP packets with invalid MAC address-to-IP address bindings.
● It checks both incoming ARP requests and ARP responses.
● In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all switch ports connected to
switches as trusted.
● This capability protects the network from certain man-in-the-middle attacks such as ARP cache poisoning, see the image below.
● The switch does not check ARP packets that it receives from the other switch on the trusted interface. It simply forwards the packets.
● In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP access control lists (ACLs) for hosts
with statically configured IP addresses.
Configuring DAI
CORE_SW1:
conf t
!Enable dynamic ARP inspection on a per-VLAN basis. By default, dynamic ARP inspection is disabled on all VLANs.
ip arp inspection vlan 1
!Configure the connection between the switches as trusted or other trusted devices.
int gi0/0
ip arp inspection trust
int gi0/1
ip arp inspection trust
int gi0/2
ip arp inspection trust
end
wr
ACC_SW1:
conf t
ip arp inspection vlan 1
!
int gi0/1
ip arp inspection trust
end
wr
ACC_SW2:
conf t
ip arp inspection vlan 1
!
int gi0/1
ip arp inspection trust
end
wr
Verifying the DAI configuration
show ip arp inspection
show ip arp inspection interfaces
show ip dhcp snooping binding
#cisco #ccna #ccnp #cisconetworking
Document:
https://drive.google.com/file/d/1ZXuP...
