In this exercise, you will simulate an ARP poisoning attack in a controlled lab environment, learn how to detect the duplicate MAC addresses using standard OS tools, and configure Dynamic ARP Inspection (DAI) on the switch to permanently block the attack.
When an attacker poisons the ARP cache, the IP address of the default gateway will map to the attacker's MAC address. You can detect this by comparing the MAC address of the gateway against its known, legitimate hardware address.
💡 Pro-tip: Use arp-scan or arpwatch on Linux to continuously monitor the network for MAC address flips or duplicate IP-to-MAC mappings, which are definitive signs of poisoning.
If the MAC address for the gateway (192.168.1.1) suddenly changes to match a known user workstation, you are currently under an active ARP spoofing attack.
To prevent this, configure DHCP Snooping to build a trusted binding table, then enable DAI on the user VLANs. The switch will now drop any ARP reply that doesn't match the binding table.
⚠️ If you enable DAI on a network with servers that use Static IPs (and thus don't use DHCP), DAI will drop their ARP traffic. You must manually add static ARP snooping entries for all static servers.
| Tool | Function | OS / Platform |
|---|---|---|
| arpwatch | Passive monitoring | Linux |
| XArp | Active detection | Windows |
| DAI | Hardware prevention | Cisco Switches |
Verify exercises to earn ★ 250 XP and unlock next lab level.