Dynamic ARP Inspection (DAI) helps protect against ARP spoofing attacks by validating ARP packets in the network and ensuring that only legitimate IP-to-MAC address bindings are used on the network. However, enabling it without the right configuration can lead to connectivity issues.
Below are the best practices for safe deployment in cnMatrix switches:
Note that ARP Inspection is usually enabled on the Access switches where the client devices are connected. If the customer has client devices connected on the core switches, they need to enable DAI and DHCP Snooping on the core switch as well.
-
Prerequisites:
- Before enabling DAI, ensure DHCP Snooping is enabled globally on the switch as well as on the VLANs.
- Verify that the DHCP Snooping binding table is being populated with the client IP–MAC mappings.
-
Enable DAI and DHCP Snooping on all VLANs where security is required.
-
Trusted Port Configuration:
- DHCP Server Uplink: Always configure the switchport(s) connecting to the DHCP server as Trusted. In case of Access switches where DAI is enabled, their uplink to the core switch should be set as Trusted.
- Static IP Devices: Any devices using a static IP (APs, printers, IP phones, servers, access switches, etc.) must also have their connected ports set to Trusted or have the binding information statically entered in the binding table.
- Client Ports: End-user device ports (DHCP clients) should remain untrusted to protect against spoofing.
-
After enabling DAI, or after rebooting the switch with DAI enabled, to avoid connectivity issues, all devices that obtained their IP addresses via DHCP will need to renew their leases to be revalidated by the switch.
-
For monitoring & verification, use commands such as
show ip binding→ displaying the binding information for the hosts connecting to the switch.show ip arp statistics→ to check the ARP packet validation and ARP requests and replies count.show ip binding counters→ to view the VLAN binding count information.ip binding→ configure static binding information.