Cisco 350 Series Administration Manual page 504

Security
ARP Inspection
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
• Properties
• Interfaces Settings
• Interfaces Settings
• ARP Access Control
• ARP Access Control Rules
• VLAN Settings
How ARP Prevents Cache Poisoning
The ARP inspection feature relates to interfaces as either trusted or untrusted (see
Settings page).
Interfaces are classified by the user as follows:
• Trusted — Packets are not inspected.
• Untrusted —Packets are inspected as described above.
ARP inspection is performed only on untrusted interfaces. ARP packets that are received on
the trusted interface are simply forwarded.
Upon packet arrival on untrusted interfaces the following logic is implemented:
• Search the ARP access control rules for the packet's IP/MAC addresses. If the IP
address is found and the MAC address in the list matches the packet's MAC address,
then the packet is valid; otherwise it is not.
• If the packet's IP address was not found, and DHCP Snooping is enabled for the
packet's VLAN, search the DHCP Snooping Binding database for the packet's <VLAN
- IP address> pair. If the <VLAN - IP address> pair was found, and the MAC address
and the interface in the database match the packet's MAC address and ingress
interface, the packet is valid.
• If the packet's IP address was not found in the ARP access control rules or in the
DHCP Snooping Binding database the packet is invalid and is dropped. A SYSLOG
message is generated.
• If a packet is valid, it is forwarded and the ARP cache is updated.
17
Interfaces
361