Re: DAI between multiple switchs

alvaroarcila · ‎12-21-2010

Hi,

Right now we have about 30 switches (2960 and 2950) and a switch core Catalyst 4507R, we're traying to hard our network plataform and surfing the web we have found many documents and recommedatios pointing to activate Dynamic Arp Inspection in the switchs, but I have the following doubt:

We have to create some arp rules for all the servers and hosts that have manual IP addresses asssigned right?

If the prior qiestion is correct, do we have to copy the same arp rules in each switch in the network?

Do you recommend to activate this feature or it could be better if we look for another soluction to avoid layer 2 attaks.

thanks,

Alvaro

Reza Sharifi · ‎12-21-2010

Hi Alvaro,

Have a look at this document on how to harden Cisco devices:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#asprot

Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) can be utilized to mitigate ARP poisoning attacks on local segments. An ARP poisoning attack is a method in which an attacker sends falsified ARP information to a local segment. This information is designed to corrupt the ARP cache of other devices. Often an attacker uses ARP poisoning in order to perform a man-in-the-middle attack.

DAI intercepts and validates the IP-to-MAC address relationship of all ARP packets on untrusted ports. In DHCP environments, DAI utilizes the data that is generated by the DHCP snooping feature. ARP packets that are received on trusted interfaces are not validated and invalid packets on untrusted interfaces are discarded. In non-DHCP environments, the use of ARP ACLs is required.

These commands enable DHCP snooping:

HTH

Reza

alvaroarcila · ‎12-24-2010

Thanks a lot for your replay Reza.