What Cisco switch features are designed to work together to mitigate ARP spoofing attacks? (Choose two.)
- DHCP snooping
- port security
Dynamic ARP inspection (DAI) and DHCP snooping are Cisco features designed to work together to mitigate ARP spoofing attacks. DAI validates ARP packets in a network. DAI determines the validity of an ARP packet based on the valid MAC address-to-IP-address bindings stored in the DHCP snooping database. This capability protects the network from some man-in-the-middle attacks. The following global configuration command instructs the switch to intercept, log, and discard packets with invalid IP-to-MAC address bindings for the specified VLANs.
switch(config)# ip arp inspection vlan 10-12,15
When configuring DAI, ports are configured as either trusted or untrusted. DAI forwards all packets received on a trusted interface without checks but intercepts all packets on an untrusted port.
DHCP snooping creates an IP address to MAC address database that DAI uses to validate ARP packets. It compares the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates attackers spoofing MAC addresses. The following command enables DHCP MAC address verification:
router(config)# ip dhcp snooping verify mac-address
DHCP Authorized ARP can also be used to mitigate ARP spoofing. When implemented, the server assigns an IP address to a client and then creates a static mapping. The DHCP server then sends periodic ARPs to clients to make sure that the clients are still active. Clients respond with an ARP reply. Unauthorized clients cannot respond to these periodic ARPs. The unauthorized ARP responses are blocked at the DHCP server.
DHCP snooping also is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server packets such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.
Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not eliminate ARP spoofing.
802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch; it does not inspect ARP packets.
Configure and verify switch security features