Inspecting Arp Traffic - Cisco WS-C6506 Software Manual

Using VACLs in Your Network
The ARP traffic is permitted on each VLAN by default. You can disallow the ARP traffic on a per-VLAN
basis using the set security acl ip acl_name deny arp command. When you enter this command, the
ARP traffic is disallowed on the VLAN to which the ACL is mapped. To allow the ARP traffic on a
VLAN that has had the ARP traffic disallowed, enter the set security acl ip acl_name permit arp
command.

Inspecting ARP Traffic

This feature is available only with Supervisor Engine 2 with PFC2, Supervisor Engine 720 with
Note
PFC3A/PFC3B/PFC3BXL, and Supervisor Engine 32 with PFC3B/PFC3BXL.
These sections describe the ARP traffic-inspection feature:
•
•
•
•
Overview
ARP is a simple protocol that does not have an authentication mechanism, so there is no way to ensure
that the ARP requests and replies are genuine. Without an authentication mechanism, a malicious
user/host can corrupt the ARP tables of the other hosts on the same VLAN in a Layer 2 network or bridge
domain.
For example, user/Host A (the malicious user) can send unsolicited ARP replies (or gratuitous ARP
packets) to the other hosts on the subnet with the IP address of the default router and the MAC address
of Host A. With some earlier operating systems, even if a host already has a static ARP entry for the
default router, the newly advertised binding from Host A is learned. If Host A enables IP forwarding and
forwards all packets from the "spoofed" hosts to the router and vice versa, then Host A can carry out a
man-in-the-middle attack (for example, using the program dsniff) without the spoofed hosts realizing that all
of their traffic is being sniffed.
ARP traffic inspection allows you to configure a set of order-dependent rules within the security ACL
(VACL) framework to prevent the ARP table attacks.
Implementation
If a specific rule in ARP traffic inspection exists in the VACL on a VLAN, all ARP packets are
index-directed to the CPU through the ACEs in the VACL. The packets are inspected by the ARP
traffic-inspection task for conformance to the specified rules. The conforming packets are forwarded
while the nonconforming packets are dropped and logged (if logging is enabled).
The rules for ARP traffic inspection specify the ARP bindings for the specified IP addresses as shown
in the example that follows:
permit arp-inspection host 10.0.0.1 00-00-00-01-00-02
permit arp-inspection host 20.0.0.1 00-00-00-02-00-03
deny arp-inspection host 10.0.0.1 any
deny arp-inspection host 20.0.0.1 any
permit arp-inspection any any
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
15-30
Overview, page 15-30
Implementation, page 15-30
ARP Traffic-Inspection Configuration Guidelines, page 15-31
ARP Traffic-Inspection Configuration Procedures, page 15-32
Chapter 15 Configuring Access Control
OL-8978-04