Chapter 4 Access Control List Screens
Figure 68 Man-in-the-middle Attack
Computer B tries to establish a connection with computer A. Computer X is in the same broadcast
domain as computer A. Computer X can intercept ARP packets so that:
• X pretends to be computer A and responds to computer B
• X pretends to be computer B and sends a message to computer A
Computer X does this by responding to the ARP Request for computer A with an ARP Reply in which
it writes its own MAC address. The gateway then sends packets for Computer A to Computer X.
Computer X uses the same type of trick to act like the gateway to Computer A. This causes all the
communications between computer A and computer B to pass through computer X, allowing
computer X to read and alter the information passed between them.
ARP inspection can prevent this by filtering the ARP (Request and Reply) packets. ARP inspection
has the IES drop all ARP packets from senders that are not trusted clients. A trusted client could
either be:
• A client whose IP is in the static DHCP snooping pool (configured by the "acl dhcpsnoop pool" CLI
command).
• A client whose IP and MAC address matches a pair in the dynamic DHCP snooping database (IP-
MAC mapping collected from DHCP snooping).
Click ACL > Arp Inspection in the navigation panel to display the screen shown next. Use this
screen to turn ARP inspection on or off for the subscriber ports.
134
Management Switch Card User's Guide