Networks heavily depend on the ARP protocol because it automatically maps an IP address to a MAC address for each device in the network. Because ARP is crucial for providing normal network operations, any advantage taken on it can result in catastrophic network behavior.
During an ARP spoofing attack, the attacker sends fake ARP messages, also known as gratuitous ARP replies, to associate his own MAC address with the IP address of another device on the network. This allows the attacker to intercept or modify network traffic between the victim device and other devices on the network since the traffic will always go through the attacker’s device.
As you can see from the image above, PC1 learns the MAC address of the FTP server after the exchange of ARP messages. The attacker sends a gratuitous ARP reply that contains a mapping of the IP address of the server and the MAC address of the attacker’s computer.
Logically, PC1 rewrites the old data in the ARP table with the new one that has just been learned, so the next time PC1 needs to upload something to the FTP server, the traffic will go through the attacker. And just like that, we have a man-in-the-middle attack.
The solution to the ARP spoofing attack comes in the form of a feature called Dynamic ARP Inspection (DAI). DAI works by intercepting and validating all ARP messages on a network using a database that contains trusted MAC-to-IP address mappings built by the DHCP snooping feature.
The validation is not performed on every port on the switch on which the DAI feature is enabled. When you start DAI, you must define the ports as trusted and untrusted. The inspection happens only on untrusted ports, and these are the ports that connect to end devices. The rest of the ports should be configured as trusted so that all ARP messages are permitted without any inspections being performed.
If an ARP message contains an invalid or suspicious mapping, the switch will drop the message and stop the attack. This way, DAI helps prevent malicious ARP packets from reaching their intended targets and ensures that only legitimate devices are allowed to communicate on the network.
The ip arp inspection vlan-id command enables the feature on selected VLANs. To configure an interface as trusted use the ip arp inspection trust interface configuration mode command. By default, all interfaces are considered untrusted. The following example configuration enables DHCP snooping and DAI on VLAN 2 and configures FastEthernet 0/3 as a trusted interface for both features:
To verify DAI configuration, use the show ip arp inspection command.