buffer using IPA and MACA, and sends an ARP response. Upon receiving this response,
device A updates its ARP buffer using IPB and MACB.
With this model, device C can mistake the corresponding relationship of ARP entries in
device A and device B. It broadcasts the ARP response to the network continuously. The IP
address in the response is IPA/IPB, and the MAC address is MACC. Then, ARP entries (IPB
and MACC) exist in device A, and ARP entries (IPA and MACC) exist in device B.
Communication between device A and device B is changed to communication with device C,
which is unknown to devices A and B. Device C acts as an intermediary and it just modifies
the received packets appropriately and forwards to another device. This is the well-known
intermediary attack.
43.1.2 Understanding DAI and ARP
Spoofing Attacks
DAI ensures that only legal ARP packets are forwarded by the device. It mainly performs the
following operations:
Intercept all the ARP request and response packets at the untrusted port that
corresponds to VLAN with the DAI inspection function enabled.
Check the validity of the intercepted ARP packets according to the setting of DHCP
database before further processing.
Release the packets that do not pass the inspection.
Appropriately process the packets that pass the inspection and send them to the
destinations.
Validity of ARP packets is checked according to the DHCP snooping binding database. For
details, refer to the configuration guide DHCP Snooping Configuration.
43.1.3 Understanding DAI Global Switches
Typically, packets are forwarded by hardware, while the DAI function must be implemented
by software. Therefore, for ARP packets:
When the DAI global switch is turned on, all the ARP packets are processed by software,
and cannot be forwarded by the hardware.
When the DAI global switch is turned off, the hardware, instead of the software,
forwards ARP packets within VLAN, and DAI inspection is not performed on the ARP
packets sent to the local system.
Note that the global switch only determines whether to check the incoming and outgoing
ARP packets.
For specific configuration commands, refer to ip arp inspection.
To Next Page
Loading...
Need help?
General