Security
ARP Inspection
360 Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
17
The following shows an example of ARP cache poisoning.
ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the
same subnet. Their IP, MAC addresses are shown in parentheses; for example, Host A uses IP
address IA and MAC address MA. When Host A needs to communicate with Host B at the IP
layer, it broadcasts an ARP request for the MAC address associated with IP address IB. Host B
responds with an ARP reply. The switch and Host A update their ARP cache with the MAC
and IP of Host B.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged
ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of
MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC
address for traffic intended for IA or IB, which enables Host C intercepts that traffic. Because
Host C knows the true MAC addresses associated with IA and IB, it can forward the
intercepted traffic to those hosts by using the correct MAC address as the destination. Host C
has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the-middle
attack.
This section describes ARP Inspection and covers the following topics:
• How ARP Prevents Cache Poisoning
• Interaction Between ARP Inspection and DHCP Snooping
•ARP Defaults
• ARP Inspection Work Flow
To Next Page
Loading...
Need help?
General
