Security
ARP Inspection
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4 361
17
 
• Properties
• Interfaces Settings
• Interfaces Settings
• ARP Access Control
• ARP Access Control Rules
• VLAN Settings
How ARP Prevents Cache Poisoning
The ARP inspection feature relates to interfaces as either trusted or untrusted (see Interfaces 
Settings page). 
Interfaces are classified by the user as follows:
• Trusted — Packets are not inspected.
• Untrusted —Packets are inspected as described above.
ARP inspection is performed only on untrusted interfaces. ARP packets that are received on 
the trusted interface are simply forwarded.
Upon packet arrival on untrusted interfaces the following logic is implemented:
• Search the ARP access control rules for the packet's IP/MAC addresses. If the IP 
address is found and the MAC address in the list matches the packet's MAC address, 
then the packet is valid; otherwise it is not. 
• If the packet's IP address was not found, and DHCP Snooping is enabled for the 
packet’s VLAN, search the DHCP Snooping Binding database for the packet's <VLAN 
- IP address> pair. If the <VLAN - IP address> pair was found, and the MAC address 
and the interface in the database match the packet's MAC address and ingress 
interface, the packet is valid.
• If the packet's IP address was not found in the ARP access control rules or in the 
DHCP Snooping Binding database the packet is invalid and is dropped. A SYSLOG 
message is generated.
• If a packet is valid, it is forwarded and the ARP cache is updated.