Sunday 1 October 2023

What is DAI (Dynamic ARP Inspection)? | How to configure Dynamic ARP Inspection DAI? | cyber-attack prevention | ARP Poisoning prevention.

 Dynamic ARP Inspection 

ARP (Address Resolution Protocol) it’s a communication protocol. Networking devices are used for discovering MAC (media access control) addresses, associating with an IPv4 address (internet layer address), and mapping the MAC addresses to IPv4 addresses, this mapping is done dynamically and stored in the ARP cache. ARP works between layer 2 and layer 3 of the OSI because the MAC address exists on the data link layer and the IP address exists on the network layer. In other words, Address Resolution Protocol (ARP) is a Layer 2 protocol that maps an IP address (Layer 3) to a MAC address (Layer 2).

DAI dynamic ARP inspection is a security feature that is used to protect ARP from ARP poisoning attacks. DAI checks all ARP packets on an untrusted interface and by default all the interfaces are untrusted and these untrusted interfaces undergo DAI validation. DAI compares the information in the ARP packets received on an untrusted port with the DHCP snooping database and ARP access list. Once the information is matched it will forward but if not match, it will discard ARP packets with invalid MAC addresses to IP address bindings. This is how DAI prevent ARP Poisoning (man-in-the-middle) attack by intercepting all ARP request and responses. DIA verified for valid MAC address to IP address binding before the packet is forwarded to the destination.

 

An attacker may also send a large number of ARP messages and harm our switch CPU utilization. In order to prevent this attack, we need to limit the Dynamic ARP inspection message rate and interval. after implementing DAI some services may break, such as proxy ARP but there is a solution, configure some ports as trusted for DAI.


Let’s see the configuration to get a better understanding.


Topology: -




  • configure the topology as per the diagram 
  • configure VLAN 100, name DAI
  • assign all the active ports in VLAN 100
  • configure Portfast on all the active access port
  • configure the IP address on fa0/0 192.168.1.1/24 
  • configure DHCP server the IP 192.168.1.0/24
  • configure DNS IP 192.168.1.80
  • configure Eth 1/0 trusted for DHCP
  • configure switch to prevent ARP poisoning attack on VLAN 100
  • configure DHCP snooping on VLAN 100
  • make sure PC ethernet 0/2 by pass DAI inspection and ping default gateway
  • configure the ARP access list and bind the IP to MAC for untrusted active ports
  • make sure all the untrusted ports undergo the inspection.
  • configure ARP inspection interval and message rate 8 limit 

What is layer 3 etherchannel? How to configure layer 3 etherchannel?

EtherChannel technology allows us to bundle multiple physical links into one logical link. It is used to increase the bandwidth and provide ...