ARP Spoofing
In an ARP spoofing attack, the attacker sends out gratuitous (unsolicited) ARP
messages giving the IP address of the local default gateway, with its own MAC
address as the layer 2 address. Local devices overwrite their existing correct
ARP information with the incorrect one, and, thus, they forward off-net traffic
to the attacker (it becomes a “man-in-the-middle”). If the attacker then forwards
it on to the legitimate router, this type of attack might go undetected by the
users.
Dynamic ARP Inspection (DAI) can work with DHCP spoofing to stop ARP
spoofing. DAI defines trusted and untrusted interfaces. It intercepts ARP
messages on untrusted ports, and checks them against the IP address/MAC
address bindings in the DHCP snooping database. They must match for the
switch to forward the traffic. Access ports should be configured as untrusted,
and ports that connect to other switches or to a router should be trusted.
Enable DAI on a VLAN, or multiple VLANs, and configure trusted interfaces.
You can optionally configure a rate limit, or configure which addresses DAI
matches against (the default is IP and MAC address). The basic commands are:
Switch(config)#ip arp inspection vlan vlan_id
Switch(config-if)#ip arp inspection trust