This blog was originally started to better help me understand the technologies in the CCIE R&S blueprint; after completing the R&S track I have decided to transition the blog into a technology blog.
CCIE #29033
This blog will continue to include questions, troubleshooting scenarios, and references to existing and new technologies but will grow to include a variety of different platforms and technologies. Currently I have created over 185 questions/answers in regards to the CCIE R&S track!! Note: answers are in the comment field or within "Read More" section.
You can also follow me on twitter @FE80CC1E
How can I prevent ARP based attacks?
1 comments:
DAI - Dynamic ARP inspection is a security features that validates the MAC to IP address using the DHCP snooping database. The packet will only be permitted once this validation occurs. If the validation fails the packet is dropped.
Must enable DHCP Snooping
To enable it per VLAN when using DHCP (global config)
"ip arp inspection vlan (#,#,#)"
To trust an interface and bypass the validation process.
interface fas 0/10
"ip arp inspection trust"
To enable DAI without DHCP - There is no DHCP binding database.
Create an arp access-list
"arp access-list ARP"
"permit ip host 10.1.1.2 mac host 1111.2222.3333"
Eanble inspection per VLAN
"ip arp inspection filter ARP vlan 10"
interface gig 0/1
"no ip arp inspection trust"
You can also rate limit the number of incoming arp packets
"ip arp inspection limit"
ARP validation checks do some extra validation against destination IP and/or mac
"ip arp inspection validate (src-mac|dst-mac|ip)"
"show ip arp inspection statistics"
Post a Comment