Inspecting And Tracking Dhcp Packets; Dynamic Arp Inspection; Arp Attacks - Dell PowerConnect B-RX Configuration Manual
Bigiron rx series supporting multi-service ironware v02.7.03
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1458 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
Inspecting and Tracking DHCP Packets
The features described in this chapter were introduced in software release 02.3.00 for the BigIron
RX Series devices.
For enhanced network security, you can configure the Brocade device to inspect and keep track of
Dynamic Host Configuration Protocol (DHCP) assignments. To do so, use the following features.
TABLE 162
Description
Dynamic ARP Inspection – Intercepts and examines all ARP request and response
packets in a subnet, and blocks all packets that have invalid IP to MAC address bindings
DHCP Snooping – Filters replay DHCP packets from untrusted ports (those connected to
host ports), and allows DHCP packets from trusted ports (those connected to DHCP
servers)
IP Source Guard – Permits traffic with valid source IP addresses only, which is learned
from Dynamic ARP Inspection or DHCP snooping
Dynamic ARP inspection
NOTE
This feature is only supported on Layer 3 code.
Dynamic ARP Inspection (DAI) enables the Brocade device to intercept and examine all ARP
request and response packets in a subnet and discard those packets with invalid IP to MAC
address bindings. DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache
poisoning, and disallow mis-configuration of client IP addresses.
ARP attacks
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a
MAC address. Before a host can talk to another host, it must map the IP address to a MAC address
first. If the host does not have the mapping in its ARP table, it sends an ARP request to resolve the
mapping. All computers on the subnet will receive and process the ARP requests, and the host
whose IP address matches the IP address in the request will send an ARP reply.
An ARP poisoning attack can target hosts, switches, and routers connected to the Layer 2 network
by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic
intended for other hosts on the subnet. For instance, a malicious host can reply to an ARP request
with its own MAC address, thereby causing other hosts on the same subnet to store this
information in their ARP tables or replace the existing ARP entry. Furthermore, a host can send
BigIron RX Series Configuration Guide
53-1001986-01
Chapter contents
Chapter
35
See page
page 983
page 988
page 992
983
Advertisement
Chapters
Table of Contents
