405
Cisco Systems, Inc. www.cisco.com
Configuring Dynamic ARP Inspection
Prerequisites for Dynamic ARP Inspection
Dynamic Address Resolution Protocol (ARP) inspection depends on the entries in the DHCP snooping binding
database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable
DHCP snooping to permit ARP packets that have dynamically assigned IP addresses.
Restrictions for Dynamic ARP Inspection
To use this feature, the switch must be running the LAN Base image.
Information About Dynamic ARP Inspection
Dynamic ARP Inspection
Dynamic ARP inspection (DAI) helps prevent malicious attacks on the switch by not relaying invalid ARP requests and
responses to other ports in the same VLAN.
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For
example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache.
Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated
with the IP address of Host A. All hosts within the broadcast domain receive the ARP request, and Host A responds with
its MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received,
an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under
attack flows through the attacker’s computer and then to the router, switch, or host.
A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches
of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure 63 on
page 405 shows an example of ARP cache poisoning.
Figure 63 ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP
and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When
Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address associated
with IP address IB. When the switch and Host B receive the ARP request, they populate their ARP caches with an ARP
AB
C
Host A
(IA, MA)
Host B
(IB, MB)
Host C (man-in-the-middle)
(IC, MC)
111750
To Next Page
Loading...
Need help?
General