CCNA : Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) is a security feature used in computer networks to prevent a type of cyber attack called #ARPspoofing. Let me explain it in simple terms.

Imagine you have a group of friends who communicate by sending letters to each other. To make sure that the letters reach the right person, you write down the address of each friend on the envelope. Now, let's say there's a person who wants to intercept your letters and read their contents. This person might try to change the address on the envelopes, so the letters end up being delivered to their own address instead of your friends'.

In computer networks, devices communicate with each other using a similar concept called IP addresses. However, there's another system called ARP (Address Resolution Protocol) that helps devices find each other on the network. ARP translates IP addresses into physical MAC addresses, which are unique identifiers for network devices, just like addresses on envelopes.

Now, here's where ARP spoofing comes into play. An attacker can manipulate the ARP system and pretend to be another device on the network by changing the IP-to-MAC address mappings. It's like the person intercepting your letters and changing the addresses on the envelopes.

This is where Dynamic ARP Inspection (DAI) steps in to protect the network. DAI acts as a security guard that checks every ARP message passing through the network. It verifies if the IP-to-MAC address mappings in the ARP messages are legitimate or not. If it detects any mismatch or suspicious activity, DAI blocks or discards the ARP messages to prevent the attack.

In simple terms, DAI is like a vigilant guard that checks the envelopes of your network communication to make sure nobody is tampering with the addresses and trying to intercept your data. By doing this, DAI helps to keep your network safe from ARP spoofing attacks and ensures that your devices communicate with the right recipients securely.

First, you need to enable DAI globally on the switch by entering the global configuration mode. You can do this by typing the following command:

Once DAI is enabled, you need to specify which interfaces should have DAI enabled. You can do this on a per-interface basis. Let's say you want to enable DAI on interface GigabitEthernet1/0/1. Enter the interface configuration mode for that interface:

The ip arp inspection trust command tells the switch to trust the ARP messages coming from this interface. Typically, you would use this command on interfaces connected to trusted devices, such as servers or routers.

1. For the remaining interfaces that are not explicitly trusted, you can enable DAI with strict mode. This mode inspects all ARP messages and drops any that do not have a valid IP-to-MAC address mapping. Let's enable strict mode on interface range GigabitEthernet1/0/2 to GigabitEthernet1/0/24:

In this example, we also set a rate limit for ARP inspection to prevent excessive log messages (10 packets per second) and enable logging for any ARP messages that exceed this limit.

1. Finally, you can apply DAI to the Layer 3 VLAN interfaces as well. Let's say you have VLAN 10 and VLAN 20, and you want to enable DAI on their respective interfaces:

By enabling DAI on the VLAN interfaces, you ensure that ARP messages within those VLANs are also protected.

That's it! With these configurations, your Cisco switch is now equipped with Dynamic ARP Inspection to guard against ARP spoofing attacks and maintain a secure network environment.