Arp Cache Poisoning; How Arp Prevents Cache Poisoning - Cisco SF220-24 Administration Manual

220 series

Hide thumbs Also See for SF220-24:

Quick start manual (17 pages)

Quick start manual (2 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

page of 289

/ 289
Contents
Table of Contents
Bookmarks

Table of Contents

Configuring Security

Configuring Dynamic ARP Inspection

Cisco 220 Series Smart Switches Administration Guide Release 1.1.0.x

ARP Cache Poisoning

A malicious user can attack hosts, switches, and routers connected to a Layer 2

network by poisoning the ARP caches of systems connected to the subnet and by

intercepting traffic intended for other hosts on the subnet. This situation can

happen because ARP allows a gratuitous reply from a host even if an ARP request

was not received. After the attack, all traffic from the device under attack flows

through the attacker's computer and then to the router, switch, or host.

How ARP Prevents Cache Poisoning

The ARP inspection feature relates to interfaces as either trusted or untrusted (see

Security > ARP Inspection > Interface Settings page).

Interfaces are classified by the user as follows:

•

Trusted—Packets are not inspected.

•

Untrusted—Packets are inspected as described above.

ARP inspection is performed only on untrusted interfaces. ARP packets that are

received on the trusted interface are simply forwarded.

Upon packet arrival on untrusted interfaces the following logic is implemented:

•

Search the ARP access control rules for the packet's IP/MAC addresses. If

the IP address is found and the MAC address in the list matches the

packet's MAC address, then the packet is valid.

•

If the packet's IP address was not found, and DHCP Snooping is enabled for

the packet's VLAN, search the DHCP Snooping Binding database for the

packet's <VLAN - IP address> pair. If the <VLAN - IP address> pair was

found, and the MAC address and the interface in the database match the

packet's MAC address and ingress interface, the packet is valid.

•

If the packet's IP address was not found in the ARP access control rules or in

the DHCP Snooping Binding database the packet is invalid and is dropped.

A SYSLOG message is generated.

•

If a packet is valid, it is forwarded and the ARP cache is updated.

If the ARP Packet Validation option is selected (on the Properties page), the

following additional validation checks are performed:

•

Source MAC Address—Compares the packet's source MAC address in

the Ethernet header against the sender's MAC address in the ARP request.

This check is performed on both ARP requests and responses.

227

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

This manual is also suitable for:

Sf220-24p Sf220-48 Sf220-48p Sg220-26 Sg220-26p Sg220-50p ... Show all

Arp Cache Poisoning; How Arp Prevents Cache Poisoning - Cisco SF220-24 Administration Manual

ARP Cache Poisoning

How ARP Prevents Cache Poisoning

Hide quick links:

Related Manuals for Cisco SF220-24

Related Content for Cisco SF220-24

This manual is also suitable for:

Table of Contents