table, which contains the MAC addresses associated with speciﬁc
IP addresses. Additionally, this feature supports static MAC address
to IP address mappings, which might be appropriate for network
devices, such as routers. This DHCP binding table can be used by
the Dynamic ARP Inspection (DAI) feature to help prevent Address
Resolution Protocol (ARP) spooﬁng attacks.
Recall the purpose of ARP requests. When a network device needs
to determine the MAC address that corresponds to an IP address,
the device can send an ARP request. The target device replies to
the requesting device with an ARP reply. The ARP reply contains
the requested MAC address.
Attackers can attempt to launch an attack by sending gratuitous
ARP (GARP) replies. These GARP messages can tell network devices
that the attacker’s MAC address corresponds to speciﬁc IP addresses.
For example, the attacker might be able to convince a PC that the
attacker’s MAC address is the MAC address of the PC’s default
gateway. As a result, the PC starts sending trafﬁc to the attacker.
The attacker captures the trafﬁc and then forwards the trafﬁc to
the appropriate default gateway.
To illustrate, consider Figure Below. PC1 is conﬁgured with a
default gateway of 192.168.0.1. However, the attacker sends GARP
messages to PC1, telling PC1 that the MAC address corresponding
to 192.168.0.1 is BBBB.BBBB.BBBB, which is the attacker’s MAC
address. Similarly, the attacker sends GARP messages to the default
gateway, claiming that the MAC address corresponding to PC1’s IP
address of 192.168.0.2 is BBBB.BBBB.BBBB. This ARP cache
poisoning causes PC1 and Router1 to exchange trafﬁc via the attacker’s PC.
Therefore, this type of ARP spooﬁng attack is considered to be a
Networks can be protected from ARP spooﬁng attacks using the
DAI feature. DAI works similarly to DHCP snooping by using trusted
and untrusted ports. ARP replies are allowed into the switch on
trusted ports. However, if an ARP reply enters the switch on an
untrusted port, the contents of the ARP reply are compared to the
DHCP binding table to verify its accuracy. If the ARP reply is incon-
sistent with the DHCP binding table, the ARP reply is dropped, and
the port is disabled.
The ﬁrst step in conﬁguring DAI is to enable DAI for one or more
VLANs. For example, to enable DAI for VLAN 100, enter the
following global conﬁguration mode command:
SW3550(config)# ip arp inspection vlan 100
By default, the DAI feature considers all switch ports to be untrusted
ports. Therefore, trusted ports must be explicitly conﬁgured. These
trusted ports are the ports on which ARP replies are expected. For
example, to conﬁgure port Gigabit 0/6 to be a DAI trusted port, use
the following syntax:
SW3550(config)# interface gigabitethernet 0/6
SW3550(config-if)# ip arp inspection trust
[*] ARP Attack Examples
[*] DHCP Snooping