What Cisco Catalyst switch feature is designed to inspect ARP packets and mitigate ARP spoofing attacks?

Last Updated on August 1, 2021 by Admin 2

300-420 : All Parts

300-420 : Designing Cisco Enterprise Networks (ENSLD) : All Parts
300-420 Part 01	300-420 Part 05
300-420 Part 02	300-420 Part 06
300-420 Part 03	300-420 Part 07
300-420 Part 04

What Cisco Catalyst switch feature is designed to inspect ARP packets and mitigate ARP spoofing attacks?

DHCP snooping
port security
802.1x
DAI

Explanation:

ARP spoofing attacks are attempts to redirect traffic to an attacking host by sending an ARP message with a forged identity to a transmitting host. Dynamic ARP inspection (DAI) is a Cisco feature designed to inspect ARP packets and mitigate spoofing attacks. It works in combination with DHCP snooping. DHCP snooping creates an IP address to MAC address database that DAI uses to validate ARP packets. It compares the MAC address and IP address in ARP packets and only permits the traffic if the addresses match. This eliminates attackers from spoofing MAC addresses. Characteristics of DAI include:
DAI can only be performed on ingress ports
DAI is supported on access ports, trunk ports, Etherchannel ports, and private VLAN ports
DAI should be configured on all access switch ports as untrusted, and on all switch ports connected to other switches as trusted

An interface can be configured as trusted by using the ip arp inspection trust command. Consider the configuration shown below. If an ARP spoof attack arrives on interface Fa0/2, it will not be inspected because the port is set as trusted, and the spoof packets will be allowed.

<output omitted>
ip arp inspection vlan 5
interface fastethernet 0/2
switchport mode trunk
swtchport trunk encapsulation dot1q
ip arp inspection trust

DHCP snooping is used to define ports as trusted for DHCP server connections. The purpose of DHCP snooping is to mitigate DHCP spoofing attacks. DHCP snooping can be used to determine what ports are able to send DHCP server packets, such as DHCPOFFER, DHCPACK, and DHCPNAK. DHCP snooping can also cache the MAC address to IP address mapping for clients receiving DHCP addresses from a valid DHCP server.

Port security is a method of only permitting specified MAC addresses access to a switch port. This can be used to define what computer or device can be connected to a port, but not eliminate ARP spoofing.

802.1x is a method of determining authentication before permitting access to a switch port. This is useful in restricting who can connect to the switch; it does not inspect ARP packets.

Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features

300-420 : All Parts

300-420 : Designing Cisco Enterprise Networks (ENSLD) : All Parts
300-420 Part 01	300-420 Part 05
300-420 Part 02	300-420 Part 06
300-420 Part 03	300-420 Part 07
300-420 Part 04

0 0 votes

Article Rating

0 Comments

Inline Feedbacks

View all comments

What Cisco Catalyst switch feature is designed to inspect ARP packets and mitigate ARP spoofing attacks?

You Might Also Like

MPLS supports forwarding equivalence class (FEC). Which of the following cannot be used as a FEC allocation standard?

What can be done to minimize the impact on database read queries MOST efficiently during future traffic spikes?

Where should the names of those who are to approve a product be recorded?