Table of Contents
Advertisement
Chapter 21 IP Source Guard
• The ARP Inspection VLAN Configure screen lets you enable ARP inspection on each
VLAN and to specify when the ONU generates log messages for receiving ARP packets
from each VLAN
21.1.2 What You Need to Know About the IP Source Guard Screens
The following terms and concepts may help as you read through this chapter.
ARP Inspection
Use ARP inspection to filter unauthorized ARP packets on the network. This can prevent
many kinds of man-in-the-middle attacks, such as the one in the following example.
Figure 79 Example: Man-in-the-middle Attack
A
In this example, computer B tries to establish a connection with computer A. Computer X is in
the same broadcast domain as computer A and intercepts the ARP request for computer A.
Then, computer X does the following things:
• It pretends to be computer A and responds to computer B.
• It pretends to be computer B and sends a message to computer A.
As a result, all the communication between computer A and computer B passes through
computer X. Computer X can read and alter the information passed between them.
ARP Inspection and MAC Address Filters
When the ONU identifies an unauthorized ARP packet, it automatically creates a MAC
address filter to block traffic from the source MAC address and source VLAN ID of the
unauthorized ARP packet. You can configure how long the MAC address filter remains in the
ONU.
These MAC address filters are different than regular MAC address filters
93).
• They are stored only in volatile memory.
• They do not use the same space in memory that regular MAC address filters use.
• They appear only in the ARP Inspection screens and commands, not in the MAC
Address Filter screens and commands.
160
(Section 21.5.2 on page
168).
X
B
(Chapter 10 on page
ONU User's Guide
Advertisement
Table of Contents
