About Me
MikroTik Certified Switching Engineer (MTCSWE)
1 Introduction to Networking
1-1 Basic Networking Concepts
1-2 OSI Model
1-3 TCPIP Model
1-4 Network Devices
2 MikroTik RouterOS Basics
2-1 Introduction to RouterOS
2-2 RouterOS Interface Types
2-3 Basic Configuration
2-4 User Management
2-5 System Logging
3 Switching Fundamentals
3-1 Introduction to Switching
3-2 MAC Addresses
3-3 Ethernet Frame Structure
3-4 VLAN Basics
3-5 Trunking and Inter-VLAN Routing
4 MikroTik SwitchOS Basics
4-1 Introduction to SwitchOS
4-2 SwitchOS Interface Types
4-3 Basic Configuration
4-4 User Management
4-5 System Logging
5 VLAN Configuration
5-1 VLAN Creation and Configuration
5-2 VLAN Trunking Protocol (VTP)
5-3 Inter-VLAN Routing
5-4 VLAN Security
6 Spanning Tree Protocol (STP)
6-1 Introduction to STP
6-2 STP Operation
6-3 Rapid Spanning Tree Protocol (RSTP)
6-4 Multiple Spanning Tree Protocol (MSTP)
6-5 STP Configuration
7 Link Aggregation
7-1 Introduction to Link Aggregation
7-2 Link Aggregation Control Protocol (LACP)
7-3 Static Link Aggregation
7-4 Link Aggregation Configuration
8 Quality of Service (QoS)
8-1 Introduction to QoS
8-2 QoS Models
8-3 Traffic Shaping and Policing
8-4 QoS Configuration
9 Security Features
9-1 Introduction to Network Security
9-2 Port Security
9-3 Access Control Lists (ACLs)
9-4 DHCP Snooping
9-5 Dynamic ARP Inspection (DAI)
10 Advanced Switching Topics
10-1 Layer 3 Switching
10-2 Multicast Routing
10-3 Link Layer Discovery Protocol (LLDP)
10-4 Power over Ethernet (PoE)
11 Troubleshooting and Maintenance
11-1 Common Switching Issues
11-2 Troubleshooting Tools
11-3 Switch Maintenance
11-4 Backup and Restore
12 MikroTik Certification Exam Preparation
12-1 Exam Overview
12-2 Study Tips
12-3 Practice Questions
12-4 Exam Registration and Scheduling
9.5 Dynamic ARP Inspection (DAI) Explained

9.5 Dynamic ARP Inspection (DAI) Explained

Key Concepts of Dynamic ARP Inspection (DAI)

Dynamic ARP Inspection (DAI) is a security feature that protects against ARP spoofing attacks by validating ARP packets in a network. Key concepts include:

ARP Spoofing

ARP Spoofing is a type of attack where an attacker sends falsified ARP messages over a local network. This results in the linking of the attacker's MAC address with the IP address of a legitimate computer or server on the network. As a result, all traffic meant for that IP address is sent to the attacker instead.

Example: In a corporate network, an attacker could send ARP messages to associate their MAC address with the IP address of the default gateway. This would redirect all traffic intended for the gateway to the attacker's device, allowing them to intercept and potentially alter the traffic.

DAI Mechanism

The DAI mechanism involves intercepting ARP packets on untrusted ports, logging the packets, and discarding any invalid ARP packets. This helps in preventing ARP spoofing attacks by ensuring that only valid ARP packets are allowed to pass through the network.

Example: When a MikroTik switch receives an ARP packet on an untrusted port, it checks the packet against the trusted IP-to-MAC address mapping table. If the packet is invalid (e.g., the MAC address does not match the expected address for the IP), the switch discards the packet and logs the event.

Trusted and Untrusted Ports

Ports on a switch can be designated as trusted or untrusted based on their security level. Trusted ports are typically those connected to devices that are known to be secure, such as servers or network infrastructure devices. Untrusted ports are those connected to end-user devices that may be more susceptible to attacks.

Example: In a MikroTik switch, you can configure the port connected to the corporate server as a trusted port and all other ports connected to employee workstations as untrusted ports. This ensures that ARP packets from the server are always trusted, while packets from workstations are validated.

DHCP Snooping

DHCP Snooping is a feature that builds a trusted IP-to-MAC address mapping table by monitoring DHCP traffic. This table is used by DAI to validate ARP packets, ensuring that only legitimate IP-to-MAC address bindings are allowed in the network.

Example: When a MikroTik switch receives a DHCP request from a device, it logs the IP address and MAC address in the DHCP Snooping binding table. This table is then used by DAI to validate ARP packets, ensuring that only devices with valid IP-to-MAC bindings can communicate on the network.

© 2024 Ahmed Baheeg Khorshid. All rights reserved.