Chapter 11: Controlling Traffic and Switch Access 191
Section 11-9
Dynamic ARP Inspection
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It
intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This
capability protects the network from certain man-in-the-middle attacks. Dynamic ARP
inspection ensures that only valid ARP requests and responses are relayed. The switch
performs these activities:
■ Intercepts all ARP requests and responses on untrusted ports
■ Verifies that each of these intercepted packets has a valid IP-to-MAC address binding
before it updates the local ARP cache or before it forwards the packet to the appro-
priate destination
■ Drops invalid ARP packets
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-
MAC address bindings stored in a trusted database, the DHCP Snooping binding data-
base. This database is built by DHCP Snooping if DHCP Snooping is enabled on the
VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch
forwards the packet without any checks. On untrusted interfaces, the switch forwards the
packet only if it is valid. In non-DHCP environments, dynamic ARP inspection can vali-
date ARP packets against user-configured ARP ACLs for hosts with statically configured
IP addresses. You can issue the arp access-list global configuration command to define
an ARP ACL. ARP ACLs take precedence over entries in the DHCP Snooping binding
database. The switch uses ACLs only if you issue the ip arp inspection filter vlan global
configuration command to configure the ACLs. The switch first compares ARP packets
to user-configured ARP ACLs. If the ARP ACL denies the ARP packet, the switch also
denies the packet even if a valid binding exists in the database populated by DHCP
Snooping.
Feature Example
1. Enable dynamic ARP inspection on the VLAN:
switch(config)# ip arp inspection vlan 1
2. Configure the interface connected to the DHCP server as trusted:
switch(config)# interface fastEthernet 1/0/3
switch(config-if)# ip arp inspection trust
To Next Page
Loading...
Need help?
General
