Name: Enterasys b5
Brand: Enterasys
Rating: 4 (1 reviews)

To Next Page

To Previous Page

Dynamic ARP Inspection Overview

17-16 DHCP Snooping and Dynamic ARP Inspection

Dynamic ARP Inspection Overview

DynamicARPinspection(DAI)isasecurityfeaturethatrejectsinvalidandmaliciousARP

packets.Thefeaturepreventsaclassofman‐in‐the‐middleattackswhereanunfriendlystation

interceptstrafficforotherstationsbypoisoningtheARPcachesofitsunsuspectingneighbors.

ARPpoisoningisatacticwherean

attackerinjectsfalseARPpacketsintothesubnet,normallyby

broadcastingARPresponsesinwhichtheattackerclaimstobe someoneelse.Bypoisoningthe

ARPcache,amalicioususercaninterceptthetrafficintendedforotherhostsonthenetwork.

TheDynamicARPInspectionapplicationperformsARPpacketvalidation.

WhenDAIisenabled,

itverifiesthatthesenderMACaddressandthesourceIPaddressareavalidpairintheDHCP

snoopingbindingdatabaseanddropsARPpacketswhosesenderMACaddressandsenderIP

addressdonotmatchanentryinthe database.AdditionalARPpacketvalidationcan

be

configured.

IfDHCPsnoopingisdisabledontheingressVLANorthereceiveinterfaceistrustedforDHCP

snooping,ARPpacketsaredropped.

Functional Description

DAIisenabledonVLANs,effectivelyenablingDAIontheinterfaces(physicalports orLAGs)that

aremembersofthatVLAN.Individualinterfacesareconfiguredastrustedoruntrusted.Thetrust

configurationforDAIisindependentofthetrustconfigurationforDHCPsnooping.Atrusted

portisaportthenetwork

administratordoesnotconsidertobeasecuritythreat.Anuntrusted

portisonewhichcouldpotentiallybeusedtolaunchanetworkattack.

DAIconsidersallphysicalportsandLAGsuntrustedbydefault.

Static Mappings

StaticmappingsareusefulwhenhostsconfigurestaticIPaddresses,DHCPsnoopingcannotbe

run,orotherswitchesinthenetworkdonotrundynamicARPinspection.Astaticmapping

associatesanIPaddresstoaMACaddressonaVLAN.DAIconsultsitsstaticmappingsbeforeit

consultsDHCPsnooping

—thus,staticmappingshaveprecedenceoverDHCPsnooping

bindings.

ARPACLsareusedtodefinestaticmappingsforDAI.Inthisimplementation,onlythesubsetof

ARPACLsyntaxrequiredforDAIissupported.ARPACLsarecompletelyindependentofACLs

usedforQoS.Amaximumof100ARP

ACLscanbeconfigured.WithinanACL,amaximumof20

rulescanbeconfigured.

Optional ARP Packet Validation

IfoptionalARPpacketvalidationhasbeenconfigured,DAIverifiesthatthesenderMACaddress

equalsthesourceMACaddressintheEthernetheader.Additionally,theoptiontoverifythatthe

targetMACaddressequalsthedestinat ionMACaddressintheEthernetheadercanbe

configured.Thischeckonlyappliesto

ARPresponses,sincethetargetMACaddressis

unspecifiedinARPrequests.

YoucanalsoenableIPaddresschecking.Whenthisoptionisenabled,DAIdropsARPpackets

withaninvalidIPaddress.ThefollowingIPaddressesareconsideredinvalid:

• 0.0.0.0

• 255.255.255.255

•AllIPmulticastaddresses

•AllclassEaddresses(240.0.0.0/4)

Brand

Enterasys

Model

Enterasys b5 User Manual

Table of Contents

Questions and Answers:

Enterasys b5 Specifications

Brand	Enterasys
Model	b5
Category	Other
Language	English