How Arp Prevents Cache Poisoning - Cisco 300 Series Administration Manual

Security
ARP Inspection
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
The following shows an example of ARP cache poisoning.
ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which
are on the same subnet. Their IP, MAC addresses are shown in parentheses; for
example, Host A uses IP address IA and MAC address MA. When Host A needs to
communicate with Host B at the IP layer, it broadcasts an ARP request for the MAC
address associated with IP address IB. Host B responds with an ARP reply. The
switch and Host A update their ARP cache with the MAC and IP of Host B.
Host C can poison the ARP caches of the switch, Host A, and Host B by
broadcasting forged ARP responses with bindings for a host with an IP address of
IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the
MAC address MC as the destination MAC address for traffic intended for IA or IB,
which enables Host C intercepts that traffic. Because Host C knows the true MAC
addresses associated with IA and IB, it can forward the intercepted traffic to those
hosts by using the correct MAC address as the destination. Host C has inserted
itself into the traffic stream from Host A to Host B, the classic man-in-the-middle
attack.

How ARP Prevents Cache Poisoning

The ARP inspection feature relates to interfaces as either trusted or untrusted (see
Security > ARP Inspection > Interface Setting page).
Interfaces are classified by the user as follows:
18
371