us that host just has had a link up event, such as a link bounce, a machine just being rebooted
or you are just configuring the interface up. If you see multiple gratuitous ARPs from the
same host frequently, it can be an indication of bad Ethernet hardware or cabling resulting
in frequent link bounces.
Dynamic ARP inspection
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address
to a MAC address. A malicious user can attack hosts, switches, and routers connected to the
Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by
intercepting traffic intended for other hosts on the subnet.
Figure 9: Dynamic ARP inspection
In the preceding figure, hosts A, B, and C are connected to the switch on interfaces A, B, and
C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses;
for example, host A uses IP address IA and MAC address MA. After Host A needs to
communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address
associated with IP address IB. After the switch and Host B receive the ARP request, they
populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC
address MA. After Host B responds, the switch and Host A populate their ARP caches with a
binding for a host with the IP address IB and a MAC address MB.
Host C can poison the ARP caches of the switch (Host A and Host B) by broadcasting forged
ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address
of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC
address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because
Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted
traffic to those hosts by using the correct MAC address as the destination. Host C has inserted
itself into the traffic stream from Host A to Host B, the classic man-in-the-middle attack.
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It
intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This
capability protects the network from certain man-in-the-middle attacks.
Dynamic ARP inspection
Troubleshooting Avaya ERS 4000 Series April 2014 37
To Next Page
Loading...
