Prevent ARP Spoofing using Dynamic ARP Inspection – DAI

Additional protection of potential man in the middle attack
Dynamic ARP Inspection will help us prevent Address Resolution Protocol – ARP spoofing attacks with help of DHCP functionality and specially DHCP snooping. This is why  Dynamic ARP Inspection is usually used simultaneously with DCHP snooping. Let’s se how is this technology protecting us from ARP attack.

The DHCP snooping builds a DHCP binding table in which are the MAC addresses associated with IP addresses of network devices. We can also add to this table static MAC address to IP address mappings. This will be the best thing to do when we are mapping the interfaces of the router. DHCP binding table is used by the Dynamic ARP Inspection – DAI.

ARP – What is ARP?
Purpose of ARP requests in network is to give to the device appropriate mapping of MAC address to IP address. In other words, when a network device needs to find out the MAC address that corresponds to an IP address, the device can send an ARP request. In that moment the device that has an address that we seek replies to the requesting device with an ARP reply. The ARP reply contains the requested MAC address.

Prevent ARP Spoofing using Dynamic ARP Inspection – DAI

Networks can be protected from ARP spoofing attacks using the DAI – Dynamic ARP Inspection. Dynamic ARP Inspection functionality is similar to DHCP snooping. It uses trusted and untrusted ports. ARP replies are allowed into the switch interface only on trusted ports. If an ARP reply comes to the switch on an untrusted port, the contents of the ARP reply packet will be compared to the DHCP binding table to verify its accuracy. If the ARP reply is not valid and is not in the DHCP binding table, the ARP reply is dropped, and the port is disabled.


To configure Dynamic ARP Inspection we must do this for one or more VLANs. To enable DAI for VLAN 60:

Switch1(config)# ip arp inspection vlan 60

Dynamic ARP Inspection default configuration will make all switch ports untrusted. Therefore, trusted ports must be explicitly configured. These trusted ports are the ports on which ARP replies are expected to come in. Configuration of port Gigabit 0/1 to be a DAI trusted port:

Switch1(config)# interface gigabitethernet 0/1
Switch1(config-if)# ip arp inspection trust


Configure DHCP snooping and dynamic ARP inspection (DAI) on the VLAN named 60:

  1. Set the ge-0/0/1 interface as trusted:
    [edit ethernet-switching-options secure-access-port]
     user@switch#set interface ge-0/0/1 dhcp-trusted
  2. Enable DHCP snooping on the VLAN:
    [edit ethernet-switching-options secure-access-port]
    user@switch#set vlan 60 examine-dhcp
  3. Enable DAI on the VLAN:
    [edit ethernet-switching-options secure-access-port]
    user@switch# set vlan 60 arp-inspection

ARP Spoofing in the picture

ARP spoofing attack

Leave a Reply