What Cisco Catalyst switch feature is designed to inspect ARP packets and mitigate ARP spoofing attacks?
- DHCP snooping
- port security
ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending an ARP message with a forged identity to a transmitting host. Dynamic ARP inspection (DAI) is a Cisco feature designed to inspect ARP packets and mitigate spoofing attacks. It works in combination with DHCP snooping. DHCP snooping creates an IP address to MAC address database that DAI uses to validate ARP packets. It compares the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates attackers from spoofing MAC addresses. Characteristics of DAI include:
DAI can only be performed on ingress ports
DAI is supported on access ports, trunk ports, Etherchannel ports, and private VLAN ports
DAI should be configured on all access switch ports as untrusted, and on all switch ports connected to other switches as trusted
An interface can be configured as trusted by using the ip arp inspection trust command. Consider the configuration shown below. If an ARP spoof attack arrives on interface Fa0/2, it will not be inspected because the port is set as trusted, and the spoof packets will be allowed.
<output omitted> ip arp inspection vlan 5 interface fastethernet 0/2 switchport mode trunk swtchport trunk encapsulation dot1q ip arp inspection trust
DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not eliminate ARP spoofing.
802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch; it does not inspect ARP packets.
Configure and verify switch security features