Interface Trust States And Network Security - Cisco IE-4000 Software Configuration Manual

Configuring Dynamic ARP Inspection
Information About Dynamic ARP Inspection
binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address
MA. When Host B responds, the switch and Host A populate their ARP caches with a binding for a host with the IP
address IB and the MAC address MB.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses with
bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the
MAC address MC as the destination MAC address for traffic intended for IA or IB. This means that Host C intercepts that
traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic
to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from
Host A to Host B, the classic man-in-the middle attack.
DAI is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP packets with invalid
IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks.
DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities:

Intercepts all ARP requests and responses on untrusted ports

Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP
cache or before forwarding the packet to the appropriate destination

Drops invalid ARP packets
DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database,
the DHCP snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the
VLANs and on the switch. If the ARP packet is received on a trusted interface, the switch forwards the packet without
any checks. On untrusted interfaces, the switch forwards the packet only if it is valid.

Interface Trust States and Network Security

DAI associates a trust state with each interface on the switch. Packets arriving on trusted interfaces bypass all DAI
validation checks, and those arriving on untrusted interfaces undergo the DAI validation process.
In a typical network configuration, you configure all switch ports connected to host ports as untrusted and configure all
switch ports connected to switches as trusted. With this configuration, all ARP packets entering the network from a given
switch bypass the security check. No other validation is needed at any other place in the VLAN or in the network. You
configure the trust setting by using the ip arp inspection trust interface configuration command.
Caution: Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be
trusted can result in a loss of connectivity.
In Figure 64 on page
and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A
binds the IP-to-MAC address of Host 1. Therefore, if the interface between Switch A and Switch B is untrusted, the ARP
packets from Host 1 are dropped by Switch B. Connectivity between Host 1 and Host 2 is lost.
407, assume that both Switch A and Switch B are running DAI on the VLAN that includes Host 1
406