Security
ARP Inspection
323 Cisco Sx350, SG350X, SG350XG, Sx550X & SG550XG Series Managed Switches, Firmware Release 2.2.5.x
16
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the
same subnet. Their IP, MAC addresses are shown in parentheses; for example, Host A uses IP
address IA and MAC address MA. When Host A needs to communicate with Host B at the IP
layer, it broadcasts an ARP request for the MAC address associated with IP address IB. Host B
responds with an ARP reply. The switch and Host A update their ARP cache with the MAC
and IP of Host B.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged
ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of
MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC
address for traffic intended for IA or IB, which enables Host C intercepts that traffic. Because
Host C knows the true MAC addresses associated with IA and IB, it can forward the
intercepted traffic to those hosts by using the correct MAC address as the destination. Host C
has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the-middle
attack.
This section describes ARP Inspection and covers the following topics:
• How ARP Prevents Cache Poisoning
• Interaction Between ARP Inspection and DHCP Snooping
•ARP Defaults
• ARP Inspection Work Flow
• Properties
• Interfaces Settings
• Interfaces Settings
• ARP Access Control
• ARP Access Control Rules
• VLAN Settings
How ARP Prevents Cache Poisoning
The ARP inspection feature relates to interfaces as either trusted or untrusted (see Interfaces
Settings page).
Interfaces are classified by the user as follows:
• Trusted — Packets are not inspected.
• Untrusted —Packets are inspected as described above.
To Next Page
Loading...
Need help?
General
