66
Enhancements
Release L.10.28 Enhancements
Release L.10.28 Enhancements
Release L.10.28 includes the following enhancement:
■
Enhancement (PR_1000451356)
— Dynamic ARP Protection support.
Dynamic ARP Protection
Introduction
On the VLAN interfaces of a routing switch, dynamic ARP protection ensures that only valid ARP
requests and responses are relayed or used to update the local ARP cache. ARP packets with invalid
IP-to-MAC address bindings advertised in the source protocol address and source physical address
fields are discarded. For more information about the ARP cache, refer to “ARP Cache Table” in the
Multicast and Routing Guide
.
ARP requests are ordinarily broadcast and received by all devices in a broadcast domain. Most ARP
devices update their IP-to-MAC address entries each time they receive an ARP packet even if they
did not request the information. This behavior makes an ARP cache vulnerable to attacks.
Because ARP allows a node to update its cache entries on other systems by broadcasting or unicasting
a gratuitous ARP reply, an attacker can send his own IP-to-MAC address binding in the reply that
causes all traffic destined for a VLAN node to be sent to the attacker's MAC address. As a result, the
attacker can intercept traffic for other hosts in a classic "man-in-the-middle" attack. The attacker
gains access to any traffic sent to the poisoned address and can capture passwords, e-mail, and VoIP
calls or even modify traffic before resending it.
Another way in which the ARP cache of known IP addresses and associated MAC addresses can be
poisoned is through unsolicited ARP responses. For example, an attacker can associate the IP address
of the network gateway with the MAC address of a network node. In this way, all outgoing traffic is
prevented from leaving the network because the node does not have access to outside networks. As
a result, the node is overwhelmed by outgoing traffic destined to another network.
Dynamic ARP protection is designed to protect your network against ARP poisoning attacks in the
following ways:
■
Allows you to differentiate between trusted and untrusted ports.
■
Intercepts all ARP requests and responses on untrusted ports before forwarding them.
■
Verifies IP-to-MAC address bindings on untrusted ports with the information stored in the lease
database maintained by DHCP snooping and user-configured static bindings (in non-DHCP
environments):
•
If a binding is valid, the switch updates its local ARP cache and forwards the packet.
•
If a binding is invalid, the switch drops the packet, preventing other network devices from
receiving the invalid IP-to-MAC information.