DAI is a security feature on switches that prevents invalid ARP packets from entering the network. This technique is used to prevent both MITM attacks and ARP poisoning attacks on a LAN.
In the following diagram, we can see an attacker attempting to perform an MITM attack on a network between the PCs and the router:
To prevent such attacks, you can use the following configuration on a Cisco IOS switch:
- Enable DHCP snooping on the VLAN and configure the trusted port on all the trunk ports and the interface that connects to the DHCP server on the network. The following configurations are being made on a Cisco IOS switch to enable DHCP snooping:
Switch(config)#ip dhcp snooping
Switch(config)#ip dhcp snooping database DHCPsnoop
Switch(config)#ip dhcp snooping vlan 2
Switch(config)#interface gigabitEthernet 0/1
Switch(config-if)#ip dhcp snooping trust
DHCP snooping is used to prevent a malicious user from connecting a rogue DHCP server to a corporate network. The trust port is used to allow the DHCP Offer and DHCP ACK packets onto the network, while the other ports (untrusted ports) will only allow the DHCP Discover and DHCP Request packets.
- Enable ARP inspection on the VLAN and configure all the trunk ports so that they're trusted ports:
Switch(config)#ip arp inspection vlan 2
Switch(config)#interface gigabitEthernet 0/1
Switch(config-if)#ip arp inspection trust
Switch(config-if)#exit
- Create a layer 2 access control list (ACL) on the switch to bind an IP address to a MAC address:
Switch(config)#arp access-list ARP-Inspect
Switch(config-arp-nacl)#permit ip host 10.10.10.1 mac 000b.be56.eb02
Switch(config-arp-nacl)#exit
- Map the layer 2 ACL to the VLAN. The following command will enable ARP inspection on the switch:
Switch(config)#ip arp inspection filter ARP-Inspect vlan 2
Now that we are able to implement DAI on a Cisco IOS switch, let's take a look at some additional remediation techniques.