Understanding Dynamic Arp Inspection - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
• In the presence of vlan-bridging & IP device tracking, the cross-stack ARP packet forwarding will not
Understanding Dynamic ARP Inspection
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC
address. For example, Host B wants to send information to Host A but does not have the MAC address of
Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to
obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain
receive the ARP request, and Host A responds with its MAC address. However,because ARP allows a gratuitous
reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP
caches can occur. After the attack, all traffic from the device under attack flows through the attacker's computer
and then to the router, switch, or host.
A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the
ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the
subnet. Figure 26-1 shows an example of ARP cache poisoning.
Figure 89: ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet.
Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC
address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for
the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they
populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA;
for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A
populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses
with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned
ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This
means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA
and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination.
Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the middleattack.
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts, logs,and
discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from
certain man-in-the-middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs
these activities:
• Intercepts all ARP requests and responses on untrusted ports
work.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
Understanding Dynamic ARP Inspection
1301
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
