Mitigate ARP Attacks CCNA
Mitigate ARP Attacks CCNA

Mitigate ARP Attacks

Mitigate ARP Attacks


This topic explain how to configure ARP inspection to mitigate ARP attacks. Start learning CCNA 200-301 for free right now!!

Note: Welcome: This topic is part of Module 11 of the Cisco CCNA 2 course, for a better follow up of the course you can go to the CCNA 2 section to guide you through an order.

Dynamic ARP Inspection

In a typical ARP attack, a threat actor can send unsolicited ARP replies to other hosts on the subnet with the MAC Address of the threat actor and the IP address of the default gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure that only valid ARP Requests and Replies are relayed.

Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks by:

  • Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.
  • Intercepting all ARP Requests and Replies on untrusted ports.
  • Verifying each intercepted packet for a valid IP-to-MAC binding.
  • Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.
  • Error-disabling the interface if the configured DAI number of ARP packets is exceeded.

DAI Implementation Guidelines

To mitigate the chances of ARP spoofing and ARP poisoning, follow these DAI implementation guidelines:

  • Enable DHCP snooping globally.
  • Enable DHCP snooping on selected VLANs.
  • Enable DAI on selected VLANs.
  • Configure trusted interfaces for DHCP snooping and ARP inspection.

It is generally advisable to configure all access switch ports as untrusted and to configure all uplink ports that are connected to other switches as trusted.

The sample topology in the figure identifies trusted and untrusted ports.

DAI Implementation Guidelines
DAI Implementation Guidelines

DAI Configuration Example

In the previous topology, S1 is connecting two users on VLAN 10. DAI will be configured to mitigate against ARP spoofing and ARP poisoning attacks.

As shown in the example, DHCP snooping is enabled because DAI requires the DHCP snooping binding table to operate. Next, DHCP snooping and ARP inspection are enabled for the PCs on VLAN10. The uplink port to the router is trusted, and therefore, is configured as trusted for DHCP snooping and ARP inspection.

S1(config)# ip dhcp snooping
S1(config)# ip dhcp snooping vlan 10
S1(config)# ip arp inspection vlan 10
S1(config)# interface fa0/24
S1(config-if)# ip dhcp snooping trust
S1(config-if)# ip arp inspection trust

DAI can also be configured to check for both destination or source MAC and IP addresses:

  • Destination MAC – Checks the destination MAC address in the Ethernet header against the target MAC address in ARP body.
  • Source MAC – Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body.
  • IP address – Checks the ARP body for invalid and unexpected IP addresses including addresses,, and all IP multicast addresses.

The ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command is used to configure DAI to drop ARP packets when the IP addresses are invalid. It can be used when the MAC addresses in the body of the ARP packets do not match the addresses that are specified in the Ethernet header. Notice in the following example how only one command can be configured. Therefore, entering multiple ip arp inspection validate commands overwrites the previous command. To include more than one validation method, enter them on the same command line as shown and verified in the following output.

S1(config)# ip arp inspection validate ? 
  dst-mac  Validate destination MAC address
  ip       Validate IP addresses
  src-mac  Validate source MAC address
S1(config)# ip arp inspection validate src-mac 
S1(config)# ip arp inspection validate dst-mac 
S1(config)# ip arp inspection validate ip 
S1(config)# do show run | include validate
ip arp inspection validate ip 
S1(config)# ip arp inspection validate src-mac dst-mac ip
S1(config)# do show run | include validate 
ip arp inspection validate src-mac dst-mac ip 

Syntax Checker – Mitigate ARP Attacks

Implement DAI for a switch based on the following topology and specified requirements.

DAI Configuration Example
DAI Configuration Example

You are currently logged into S1. Enable DHCP snooping globally for the switch.

S1(config)#ip dhcp snooping

Enter interface configuration mode for g0/1 – 2, trust the interfaces for both DHCP snooping and DAI, and then return to global configuration mode.

S1(config)#interface range g0/1 - 2
S1(config-if-range)#ip dhcp snooping trust
S1(config-if-range)#ip arp inspection trust

Enable DHCP snooping and DAI for VLANs 10,20,30-49.

S1(config)#ip dhcp snooping vlan 10,20,30-49
S1(config)#ip arp inspection vlan 10,20,30-49

You have successfully configured DAI for the switch.

Glossary: If you have doubts about any special term, you can consult this computer network dictionary.

Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.

CCNA Dump App Now AvailableApp Store