Interface Trust States And Network Security - Cisco Catalyst 2960-XR Security Configuration Manual

Interface Trust States and Network Security

means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA
and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination.
Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the middleattack.
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs,and
discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from
certain man-in-the-middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs
these activities:
• Intercepts all ARP requests and responses on untrusted ports
• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating
• Drops invalid ARP packets
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings
stored in a trusted database, the DHCP snooping binding database. This database is built by DHCP snooping
if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted
interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch forwards
the packet only if it is valid.
You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan vlan-range
global configuration command.
In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured ARP
access control lists (ACLs) for hosts with statically configured IP addresses. You define an ARP ACL by
using the arp access-list acl-name global configuration command.
You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are
invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in
the Ethernet header. Use the ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration
command.
Interface Trust States and Network Security
Dynamic ARP inspection associates a trust state with each interface on the switch. Packets arriving on trusted
interfaces bypass all dynamic ARP inspection validation checks, and those arriving on untrusted interfaces
undergo the dynamic ARP inspection validation process.
In a typical network configuration, you configure all switch ports connected to host ports as untrusted and
configure all switch ports connected to switches as trusted. With this configuration, all ARP packets entering
the network from a given switch bypass the security check. No other validation is needed at any other place
in the VLAN or in the network. You configure the trust setting by using theip arp inspection trust interface
configuration command.
Caution Use the trust state configuration carefully. Configuring interfaces as untrusted when they should betrusted
can result in a loss of connectivity.
In the following figure, assume that both Switch A and Switch B are running dynamic ARP inspection on the
VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server
connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
198
the local ARP cache or before forwarding the packet to the appropriate destination
Configuring Dynamic ARP Inspection
OL-29434-01