With the Address Resolution Protocol (ARP) can determine IP hosts MAC address to an IP address. This mapping is stored in the ARP cache. An attacker can try using falsified ARP frames to manipulate these Zuordnugn. He may be either a man-the-middle attack in conduct or communication in the network interfere. This type of attack, known as ARP spoofing and ARP poisoning.
Cisco allows the admin with Dynamic ARP Inspection (DAI) to ward off such attacks.
Dynamic ARP Inspection Setup
ARP Inspection must be enabled globally. Thereafter, individual or untrusted interface is set up as trusted.
ip arp inspection vlan 1
!
interface FastEthernet0 / 1
description Edge Port
no ip arp inspection trust
ip arp inspection limit rate 10
!
interface GigabitEthernet0 / 1
description Uplink
ip arp inspection trust
In the following example, the (relatively small) rate-limit on fa0 / 1 was exceeded.
04:03:43:% LINK-3-UPDOWN: Interface FastEthernet0 / 1, changed state to up
04:03:46:% SW_DAI-4-PACKET_RATE_EXCEEDED: 2 packets received in 469 milliseconds on Fa0 / 1
04:03:46:% PM-4-ERR_DISABLE: arp-inspection error detected on Fa0 / 1, Fa0 / 1 putting in err-disable state
04:03:48:% LINK-3-UPDOWN: Interface FastEthernet0 / 1, changed state to down
An attempted MITM attack is:
04:18:16:% SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0 / 1,
vlan first ([0010.a48b.42a7/192.168.1.120/00d0.58b1.9600/192.168.1.104/04: 18:16 UTC Mon Mar 1 1993])
04:18:16:% SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Res) on Fa0 / 1,
vlan first ([0010.a48b.42a7/192.168.1.104/0010.6c00.1159/192.168.1.120/04: 18:16 UTC Mon Mar 1 1993])
Use dynamic ARP Inspection (DAI) around to protect the network against ARP Spoofing.