Configuring Device Security
Defining Dynamic ARP Inspection
Cisco Small Business SFE/SGE Managed Switches Administration Guide
141
4
-
Resource Problem — Indicates that the TCAM is full.
STEP 4
Click Apply. The device is updated.
Defining Dynamic ARP Inspection
Dynamic Address Resolution Protocol
(ARP) is a TCP/IP protocol for translating IP
addresses into MAC addresses. Classic ARP does the following:
•
Permits two hosts on the same network to communicates and send packets.
•
Permits two hosts on different packets to communicate via a gateway.
•
Permits routers to send packets via a host to a different router on the same
network.
•
Permits routers to send packets to a destination host via a local host.
ARP Inspection intercepts, discards, and logs ARP packets that contain invalid IP-
to-MAC address bindings. This eliminates man-in-the-middle attacks, where false
ARP packets are inserted into the subnet. Packets are classified as:
•
Trusted — Indicates that the interface IP and MAC address are recognized,
and recorded in the ARP Inspection List. Trusted packets are forward
without ARP Inspection.
•
Untrusted — Indicates that the packet arrived from an interface that does
not have a recognized IP and MAC addresses. The packet is checked for:
-
Source MAC
— Compares the packet’s source MAC address in the
Ethernet header against the sender’s MAC address in the ARP request.
This check is performed on both ARP requests and responses.
-
Destination MAC
— Compares the packet’s destination MAC address in
the Ethernet header against the destination interface’s MAC address.
This check is performed for ARP responses.
-
IP Addresses
— Checks the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP
Multicast addresses.
If the packet’s IP address was not found in the ARP Inspection List, and DHCP
snooping is enabled for a VLAN, a search of the DHCP Snooping Database is
performed. If the IP address is found, the packet is valid and is forwarded.