Dynamic ARP Analysis (DAI)
Address Resolution Protocol (ARP) provides IP-to-MAC (32-bit IP abode into a 48-bit Ethernet address)
resolution. ARP operates at Band 2 (the data-link layer) of the OSI model. ARP provides the translation
mapping the IP abode to the MAC abode of the destination host application a lookup table (also accepted as the ARP
cache).
Several types of attacks can be launched adjoin a host or accessories affiliated to Band 2 networks by
"poisoning" the ARP caches. A awful user could ambush cartage advised for added hosts on the LAN segment
and adulteration the ARP caches of affiliated systems by broadcasting artificial ARP responses. Several accepted ARPbased
attacks can accept a adverse appulse on abstracts privacy, confidentiality, and acute information. To
block such attacks, the Band 2 about-face charge accept a apparatus to validate and ensure that alone accurate ARP
requests and responses are forwarded.
Dynamic ARP analysis is a aegis affection that validates ARP packets in a network. Dynamic ARP inspection
determines the authority of packets by assuming an IP-to-MAC abode bounden analysis stored in a trusted
database, (the DHCP concern bounden database) afore forwarding the packet to the adapted destination.
Dynamic ARP analysis will bead all ARP packets with invalid IP-to-MAC abode bindings that abort the
inspection. The DHCP concern bounden database is congenital back the DHCP concern affection is enabled on the
VLANs and on the switch.
Note
Dynamic ARP analysis inspects entering packets only; it does not analysis outbound packets.
Figure 4-5a shows an archetype of an antagonist attempting to bluff and annex cartage for an important abode (a
default aperture in this example) by broadcasting to all hosts bluffing the MAC abode of the router (using a
gratuitous ARP). This will adulteration ARP accumulation entries (create an invalid ARP entry) on Host A and Host B, resulting
in abstracts actuality redirected to the amiss destination. Because of the berserk entries, back Host A sends data
destined for the router, it is afield beatific to the antagonist instead. Activating ARP analysis locks bottomward the IPMAC
mapping for hosts so that the advancing ARP is denied and logged.
Figure 4-5a. Activating ARP Inspection
[View abounding admeasurement image]
The activating ARP Analysis (DAI) affection safeguards the arrangement from abounding of the frequently accepted man-inthe-
middle (MITM) blazon attacks. Activating ARP Analysis ensures that alone accurate ARP requests and responses
are forwarded.
Figure 4-5b illustrates the DAI affection in activity and shows how the burglar is blocked on the untrusted port
when it is aggravating to adulteration ARP entries.
Figure 4-5b. DAI-in Action