https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950367#M900732 <P>Okay, so i have just to enter this configuration in each interface (pre-configured with VLan).</P><P>Could you give the specific configuration of&nbsp;Dynamic ARP Inspection in VLan Environment</P><P>Exp: i have VLan 10 in interface 1 using this ip adresse 192.168.10.1 and have his own DHCP mode and linked with gateway 192.168.99.1 in interface 24</P> Wed, 30 Oct 2019 10:57:06 GMT mydi88 2019-10-30T10:57:06Z https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950323#M900727 <P>Hello,&nbsp;</P><P>I am suffering against arp attacks into my Lan (Netcut -&nbsp; selfishnet). What configuration i must do in my CISCO SWITCH 2960 to stop this</P> Fri, 21 Feb 2020 17:38:36 GMT https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950323#M900727 mydi88 2020-02-21T17:38:36Z https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950326#M900728 <P>Hi there,</P> <P>Take a look at Dynamic ARP Inspection:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01111.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01111.html</A></P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Wed, 30 Oct 2019 10:00:09 GMT https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950326#M900728 Seb Rupik 2019-10-30T10:00:09Z https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950338#M900729 <P>Could i drop all my VLans and conserve just this configuration to protect my Lan ? Because of massive attacks i configured VLans to limit attacks in some zones.</P><P>Now if i use this config, can i use my switch in simple mode without VLans?</P><P>&nbsp;</P> Wed, 30 Oct 2019 10:23:22 GMT https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950338#M900729 mydi88 2019-10-30T10:23:22Z https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950351#M900730 You can but its not recommended. You can use dynamic arp inspection with vlans on switch Wed, 30 Oct 2019 10:42:04 GMT https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950351#M900730 kubn2 2019-10-30T10:42:04Z https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950359#M900731 <P>hmmm how epidemic is this attack?! If you unify all of your connected devices into a single subnet/ VLAN then you put all of the devcies at risk from the ARP attack.</P> <P>By using VLANs you reduce the broadcast domain and therefore the reach of an ARP based attack.</P> <P>&nbsp;</P> <P>I would keep the VLANs and implement DAI. Don't adjust your topology, get the switch to do the work.</P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Wed, 30 Oct 2019 10:53:04 GMT https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950359#M900731 Seb Rupik 2019-10-30T10:53:04Z https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950367#M900732 <P>Okay, so i have just to enter this configuration in each interface (pre-configured with VLan).</P><P>Could you give the specific configuration of&nbsp;Dynamic ARP Inspection in VLan Environment</P><P>Exp: i have VLan 10 in interface 1 using this ip adresse 192.168.10.1 and have his own DHCP mode and linked with gateway 192.168.99.1 in interface 24</P> Wed, 30 Oct 2019 10:57:06 GMT https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950367#M900732 mydi88 2019-10-30T10:57:06Z https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950368#M900733 Based on this instruction linked above by Seb Rupik: <A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01111.html#task_1961618808BA41BA941D3B9979D36518" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01111.html#task_1961618808BA41BA941D3B9979D36518</A><BR /><BR />You turning ARP inspection per vlan basis (or you can turn it on on vlan range) so for vlan 10:<BR />-ip arp inspection vlan 10<BR />And remember to set some ports as trusted (between switches and port to dhcp server). Wed, 30 Oct 2019 11:06:31 GMT https://community.cisco.com/t5/network-security/protect-my-lan-against-arp-spoofing-poisoning/m-p/3950368#M900733 kubn2 2019-10-30T11:06:31Z