Cisco dai anti-ARP attack

Configure the security features of the LAN to prevent address misconfiguration and ARP attacks!
1, EnableDHCP SNOOPING
Global command:
Ip dhcp snooping vlan 10, 20, 30
No ip dhcp snooping information option
Ip dhcp snooping database flash: dhcpsnooping. text // Save the snooping table to a separate document to prevent power loss.
Ip dhcp snooping
Interface command:
Ip dhcp snooping trust // set the port connecting to the DHCP server to Trust, and other unTrust (default)
2, EnableDAITo preventARPSpoofing and man-in-the-middle attacks! By manually configuring snooping or DHCP listening, the switch can determine the correct port. If the ARP response does not match snooping, It is discarded and the violation is recorded. The illegal port enters the err-disabled state, and the attacker cannot continue to damage the network!
Global commands
Ip arp inspection vlan 30
Interface commands (configure the DAI trusted port for links between vswitches, and the user port is on the default untrusted port ):
Ip arp inspection trust
Ip arp inspection limit rate 100
3, EnableIPSG
The premise is to enable ip dhcp snooping to obtain valid source port information. IPSG is a layer-2 interface feature similar to uRPF (unicast reverse path detection). uRPF can detect layer-3 or router interfaces.
Interface command:
Switchport mode acc
Switchport port-security
Ip verify source vlan dhcp-snooping port-security

4About several staticIPSolution
Ip dhcp snooping binding 1.1.1 vlan 1 1.1.1.1 interface gi0/8
Add a static host through arp access-list:
Arp access-list static-arp
Permit ip host 192.168.1.1 mac host 255..0000.0003
Ip arp inspection filter static-arp vlan 30
Binding a fixed IP address to DHCP:
Ip dhcp pool test
Host 192.168.1.18 255.255.255.255.0 (IP address assigned to the user)
Client-identifier 0101.0bf5.395e.55 (client mac)
Client-name test
Development and summary:
After the Cisco switch enables ip dhcp snooping in global configuration mode, all ports are in dhcp snooping untrusted mode by default, but the dhcp snooping information option function is enabled by default, at this time, the DHCP packet will be discarded when it reaches a snooping untrusted port. Therefore, the ip dhcp snooping information option ALLOW-UNTRUSTED command (disabled by default) must be configured in 4506 to allow 4506 to receive dhcp request packets with OPTION 82 from the dhcp snooping untrusted port. We recommend that you disable dhcp information option on the vswitch, that is, no ip dhcp snooping information option in global configuration mode.
7Allows manual ConfigurationIPClients with parameters such as addressesYou can manually add BINDING entries to the dhcp snooping binding database. Ip dhcp snooping binding 00d0. 2bd0. d80a vlan 100 222.25.77.100 interface gig1/1 expiry 600 indicates that a MAC address is manually added to 00d0. 2bd0. d80a: a binding entry with the IP address 222.25.77.100, the access port GIG1/1, and the lease period of 600 seconds.
8,IPSGThat isIP SOURCE GUARDYesDHCP SNOOPINGFunction basisForm the ip source binding table, which only applies to Layer 2 ports. When IPSG is enabled, all IP packets are received and only the IP packets that match the entries in the bound table are forwarded. By default, IPSG only filters IP packets based on the source IP address. If the source MAC address is used as the filter condition, dhcp snooping informaiton option 82 must be enabled.
9,DAIThat isDYNAMIC ARP INSPECTIONYesBased on dhcp snooping binding database, it is also divided into trusted and untrusted ports. DAI only checks the ARP packets of untrusted ports, you can intercept, record, and discard ARP packets that do not match the IP address-MAC address ing relationship entries in the snooping binding. If dhcp snooping is not used, you must manually configure the arp acl.