- Switch uses DAI to prevent certain types of attacks.
- To do this switch, can effectively uses the IP ARP messages.
- ARP message includes 4 important addressing fields:
- Source MAC & IP address of the sender of the message
- Target MAC & IP address
- Gratuitous ARPs:
- Gratuitous ARP occurs when a host sends an ARP reply, without even seeing an ARP request, & with a broadcast destination Ethernet address.
- DAI defeat ARP attack by examining the ARP messages & then filter out the inappropriate messages.
- DAI considers each switch port to be either untrusted (the default) or trusted.
- DAI perform messages on untrusted ports only.
Friday, June 8, 2012
Dynamic ARP Inspection (DAI)
Port Security Config Commands
|
Command
|
Purpose
|
|
Switchport mode { access | trunk}
|
Port security requires that the port be statically set as either
access or trunking
|
|
Switchport port-security [maximum value}
|
Enables port security on an interface & optionally defines the
number of allowed MAC addresses on the port (default 1)
|
|
Switchport port-security mac-address mac-addres [vlan {vlan-id|
{access | voice}}
|
Statically defines an allowed MAC address, for a particular VLAN (if
trunking), & for either the access or voice VLAN
|
|
Switchport port-security mac-address sticky
|
Tells the switch to remember the dynamically learned MAC address
|
|
Switchport port-security [aging] [violation {protect | restrict |
shutdown}]
|
Define the aging timer & actions taken when a violation occurs.
|
Subscribe to:
Posts (Atom)