EasyManua.ls Logo

Cisco 300 Series - Page 409

Cisco 300 Series
586 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Security
ARP Inspection
372 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
18
Trusted — Packets are not inspected.
Untrusted —Packets are inspected as described above.
ARP inspection is performed only on untrusted interfaces. ARP packets that are
received on the trusted interface are simply forwarded.
Upon packet arrival on untrusted interfaces the following logic is implemented:
Search the ARP access control rules for the packet's IP/MAC addresses. If
the IP address is found and the MAC address in the list matches the
packet's MAC address, then the packet is valid; otherwise it is not.
If the packet's IP address was not found, and DHCP Snooping is enabled for
the packet’s VLAN, search the DHCP Snooping Binding database for the
packet's <VLAN - IP address> pair. If the <VLAN - IP address> pair was
found, and the MAC address and the interface in the database match the
packet's MAC address and ingress interface, the packet is valid.
If the packet's IP address was not found in the ARP access control rules or
in the DHCP Snooping Binding database the packet is invalid and is
dropped. A SYSLOG message is generated.
If a packet is valid, it is forwarded and the ARP cache is updated.
If the ARP Packet Validation option is selected (Properties page), the following
additional validation checks are performed:
Source MAC — Compares the packet’s source MAC address in the
Ethernet header against the senders MAC address in the ARP request. This
check is performed on both ARP requests and responses.
Destination MAC — Compares the packet’s destination MAC address in
the Ethernet header against the destination interface’s MAC address. This
check is performed for ARP responses.
IP Addresses — Compares the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast
addresses.
Packets with invalid ARP Inspection bindings are logged and dropped.
Up to 1024 entries can be defined in the ARP Access Control table.

Table of Contents

Other manuals for Cisco 300 Series

Preview: Cli Guide
Cli Guide1117 pages

Related product manuals