From the course: Cisco CCNA (200-301) Cert Prep: 3 Security, Automation, and Programmability
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Dynamic ARP Inspection (DAI)
From the course: Cisco CCNA (200-301) Cert Prep: 3 Security, Automation, and Programmability
Dynamic ARP Inspection (DAI)
- [Instructor] Cisco has an ARP spoofing protection mechanism known as Dynamic ARP Inspection or DAI. In a nutshell, a switch with DAI enabled on a port will consult the DHCP snooping binding table and insure that any ARP sent from an un-trusted port have a valid entry for the IP and MAC combo on that port. As mentioned before, DAI can use the DHCP snooping binding table. So DHCP snooping should be enabled on the switch. Cisco switches will allow an administrator to enable DAI without DHCP snooping running. But it will discard all ARP frames on those ports which will effectively make all connectivity fail on that port. Having said that, DAI can also use ARP ACLs in place of DHCP snooping binding. ARP ACLs are statically configured lists of IP-to-MAC addresses. Since these must be manually maintained they are not recommended. With DAI correctly implemented a host can't perform a man in the middle attack by spoofing a gateway's ARPs. I've seen some DOS attacks where a malicious host…
Contents
-
-
-
Key security concepts4m 18s
-
(Locked)
Security program elements1m 19s
-
(Locked)
Password policy elements2m 27s
-
(Locked)
VPNs2m 43s
-
(Locked)
Standard access control lists (ACLs)4m 49s
-
(Locked)
ACL wildcard masks4m 20s
-
(Locked)
Extended ACLs3m 46s
-
(Locked)
Named ACLs6m 14s
-
(Locked)
Port security4m 18s
-
(Locked)
DHCP snooping3m 33s
-
(Locked)
Dynamic ARP Inspection (DAI)3m 42s
-
-
-