06-13-2012 07:27 PM - edited 03-09-2019 11:51 PM
Hi everybody
Does Dynamic arp inspection only provide protection against faked gratuitous arp reply by checking gratuitous reply against dhcp binding Or it also provides protection against all fake arp traffic by checking all arp traffic against dhcp binding?
Example.
H1 ----f1/1SW------Dhcp server
H2 ----f1/2
H1 mac address is mac1, and dhcp assigned ip address 199.199.199.1
H2 mac address is mac 2 and dhcp assigned ip address 199.199.199.2
Sw has following dhcp bindings
mac 1 199.199.199.1 f1/1 vlan 1
mac2 199.199.199.2 f1/2 vlan1
Let say a hacker connects its desktop to sw at f1/3. H1 needs to communicate with h2 but h1's arp table has no entry for 199.199.199.2 ( aged out).
As a result, H1 has to send arp broadcast request for 199.199.199.2 . The question is :if hacker crafts a fake arp reply with its own mac address i.e
mac3 199.199.199.2 ( where mac3 is the mac address of hacker's desktop), will dynamic arp inspection will check that arp reply against the dhcp bindings?
Thanks .
Solved! Go to Solution.
06-23-2012 11:44 PM
What you describe is exactly what DAI wiill protect you from.
Sent from Cisco Technical Support iPad App
06-23-2012 11:44 PM
What you describe is exactly what DAI wiill protect you from.
Sent from Cisco Technical Support iPad App
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: