Configuring ARP Inspection
Classic Address Resolution Protocol is a TCP/IP protocol that translates IP addresses into MAC addresses. Clas-
sic ARP:
•
Permits two hosts on the same network to communicate and send packets.
•
Permits two hosts on different packets to communicate via a gateway.
•
Permits routers to send packets via a host to a different router on the same network.
•
Permits routers to send packets to a destination host via a local host.
ARP Inspection eliminates man-in-the-middle attacks, where false ARP packets are inserted into the subnet. ARP
requests and responses are inspected, and their MAC Address to IP Address binding is checked. Packets with
invalid ARP Inspection Bindings are logged and dropped. Packets are classified as:
•
Trusted — Indicates that the interface IP and MAC address are recognized, and recorded in the ARP Inspec-
tion List. Trusted packets are forward without ARP Inspection.
•
Untrusted — Indicates that the packet arrived from an interface that does not have a recognized IP and MAC
addresses. The packet is checked for:
–
Source MAC — Compares the packet's source MAC address against the sender's MAC address in the
ARP request. This check is performed on both ARP requests and responses.
–
Destination MAC — Compares the packet's destination MAC address against the destination interface's
MAC address. This check is performed for ARP responses.
–
IP Addresses — Compares the ARP body for invalid and unexpected IP addresses. Addresses include
0.0.0.0, 255.255.255.255, and all IP Multicast addresses. If the packet's IP address was not found in the
ARP Inspection List, and DHCP snooping is enabled for a VLAN, a search of the DHCP Snooping
Database is performed. If the IP address is found, the packet is valid and is forwarded. ARP inspection is
performed only on untrusted interfaces.
The ARP Inspection section contains the following screens:
•
ARP Inspection Properties
•
Defining Trusted Interfaces
•
Defining the ARP Inspection List
•
Assigning ARP Inspection VLAN Settings
Page 111
Configuring Device Security
Configuring Management Security