Solved: Re: dynamic arp inspection and arp traffics

sarahr202 · ‎06-13-2012

Hi everybody

Does Dynamic arp inspection only provide protection against faked gratuitous arp reply by checking gratuitous reply against dhcp binding Or it also provides protection against all fake arp traffic by checking all arp traffic against dhcp binding?

Example.

H1 ----f1/1SW------Dhcp server

H2 ----f1/2

H1 mac address is mac1, and dhcp assigned ip address 199.199.199.1

H2 mac address is mac 2 and dhcp assigned ip address 199.199.199.2

Sw has following dhcp bindings

mac 1 199.199.199.1 f1/1 vlan 1

mac2 199.199.199.2 f1/2 vlan1

Let say a hacker connects its desktop to sw at f1/3. H1 needs to communicate with h2 but h1's arp table has no entry for 199.199.199.2 ( aged out).

As a result, H1 has to send arp broadcast request for 199.199.199.2 . The question is :if hacker crafts a fake arp reply with its own mac address i.e

mac3 199.199.199.2 ( where mac3 is the mac address of hacker's desktop), will dynamic arp inspection will check that arp reply against the dhcp bindings?

Thanks .

Karsten Iwen · ‎06-23-2012

What you describe is exactly what DAI wiill protect you from.

Sent from Cisco Technical Support iPad App

View solution in original post

Karsten Iwen · ‎06-23-2012

What you describe is exactly what DAI wiill protect you from.

Sent from Cisco Technical Support iPad App