There are many other attacks which abuse ARP messages and they commonly result in DOS or man in the middle attacks. Dynamic ARP Inspection (DAI) is a great method of preventing ARP based attacks.
If DAI is deployed on a switch it will examine ARP messages on every untrusted port and discard inappropriate ones, it does not examine ARPs on trusted ports. End stations should be configured as untrusted and connections to other switches & network devices should always be trusted, otherwise possibly valid ARP messages could be discarded.
The following are steps which DAI will decide whether to discard a packet on an untrusted port. Only step 1 is used by default steps 2 to 4 require extra configuration.1 – If an ARP message states an IP address which has not been assigned via DHCP to that port the ARP is dropped.
2 – The ARP is checked against a staic list of IP/MACs and if it doesnt match the ARP is dropped
3 – An ARP reply should have the source MAC and the MAC in the message the same, if they are different the ARP is dropped. Also the destination MAC and MAC target are compared, if they are different the ARP is dropped
4 – Unusual IP addresses can be also filtered such as the subnet addresses, broadcast addresses and multicast addresses.Configuration
DAI is enabled per VLAN with the following command;ip arp inspection vlan vlan-range
All ports default to become trusted ports so to start the inspection of ARPs ports must be configured as untrusted with the interface command
no ip arp inspection trust
Option 2 in the list above where static IP/MAC lists can be checked with the following command
ip arp inspection filter arp-acl-name vlan vlan-range [static]
Steps 3 & 4 in the list above are not checked by default but they can be with the commandip arp inspection filter arp-acl-name vlan vlan-range [static]
ip arp inspection validate {[src-mac] [dst-mac] [ip]}
The maximum rate of ARPs can also be limited to prevent DoS attacks with the command
ip arp inspection limit {rate pps [burst interval seconds] | none}
