In this video, learn how DAI layered with DHCP snooping combines to be an effective defense against certain attacks.
- [Instructor] Cisco … has an ARP spoofing protection mechanism … known as Dynamic ARP Inspection or DAI. … In a nutshell, a switch with DAI enabled on a port … will consult the DHCP snooping binding table … and insure that any ARP sent from an un-trusted port … have a valid entry for the IP and MAC combo on that port. … As mentioned before, … DAI can use the DHCP snooping binding table. … So DHCP snooping should be enabled on the switch. … Cisco switches will allow an administrator to enable DAI … without DHCP snooping running. … But it will discard all ARP frames on those ports … which will effectively make all connectivity fail … on that port. … Having said that, DAI can also use ARP ACLs … in place of DHCP snooping binding. … ARP ACLs are statically configured lists … of IP-to-MAC addresses. … Since these must be manually maintained … they are not recommended. … With DAI correctly implemented … a host can't perform a man in the middle attack … by spoofing a gateway's ARPs. … I've seen some DOS attacks where a malicious host …
Note: A complete overview of the exam and registration instructions can be found at https://www.cisco.com/c/en/us/training-events/training-certifications/exams/current-list/ccna-200-301.html.
- Elements of a robust security program
- Password policy
- Access control lists
- Dynamic ARP Inspection (DAI)
- Software-defined networking
- Software-Defined Access (SDA)
- Rest APIs
- Automation platforms