Enterasys SecureStack C2 C2G170-24 - Dynamic ARP Inspection Overview; Functional Description

Enterasys SecureStack C2 C2G170-24

698 pages

To Next Page

To Next Page

To Previous Page

To Previous Page

Loading...

Dynamic ARP Inspection Overview

17-16 DHCP Snooping and Dynamic ARP Inspection

Dynamic ARP Inspection Overview

DynamicARPinspection(DAI)isasecurityfeaturethatrejectsinvalidandmaliciousARP

packets.Thefeaturepreventsaclassofman‐in‐the‐middleattackswhereanunfriendlystation

interceptstrafficforotherstationsbypoisoningtheARPcachesofitsunsuspectingneighbors.

ARPpoisoningisatacticwherean

attackerinjectsfalseARPpacketsintothesubnet,normallyby

broadcastingARPresponsesinwhichtheattackerclaimstobe someoneelse.Bypoisoningthe

ARPcache,amalicioususercaninterceptthetrafficintendedforotherhostsonthenetwork.

TheDynamicARPInspectionapplicationperformsARPpacketvalidation.

WhenDAIisenabled,

itverifiesthatthesenderMACaddressandthesourceIPaddressareavalidpairintheDHCP

snoopingbindingdatabaseanddropsARPpacketswhosesenderMACaddressandsenderIP

addressdonotmatchanentryinthedatabase.AdditionalARPpacketvalidationcan

be

configured.

IfDHCPsnoopingisdisabledontheingressVLANorthereceiveinterfaceistrustedforDHCP

snooping,ARPpacketsaredropped.

Functional Description

DAIisenabledonVLANs,effectivelyenablingDAIontheinterfaces(physicalportsorLAGs)that

aremembersofthatVLAN.Individualinterfacesareconfiguredastrustedoruntrusted.Thetrust

configurationforDAIisindependentofthetrustconfigurationforDHCPsnooping.Atrusted

portisaportthenetwork

administratordoesnotconsidertobeasecuritythreat.Anuntrusted

portisonewhichcouldpotentiallybeusedtolaunchanetworkat tack.

DAIconsidersallphysicalportsandLAGsuntrustedbydefault.

Static Mappings

StaticmappingsareusefulwhenhostsconfigurestaticIPaddresses,DHCPsnoopingcannotbe

run,orotherswitchesinthenetworkdonotrundynamicARPinspection.Astaticmapping

associatesanIPaddresstoaMACaddressonaVLAN.DAIconsultsitsstaticmappingsbeforeit

consultsDHCPsnooping

—thus,staticmappingshaveprecedenceoverDHCPsnooping

bindings.

ARPACLsareusedtodefinestaticmappingsforDAI.Inthisimplementation,onlythesubsetof

ARPACLsyntaxrequiredforDAIissupported.ARPACLsarecompletelyindependentofACLs

usedforQoS.Amaximumof100ARP

ACLscanbeconfigured.WithinanACL,amaximumof20

rulescanbeconfigured.

Optional ARP Packet Validation

IfoptionalARPpacketvalidationhasbeenconfigured,DAIverifiesthatthesenderMACaddress

equalsthesourceMACaddressintheEthernetheader.Additionally,theoptiontoverifythatthe

targetMACaddressequalsthedestinat ionMACaddressintheEthernetheadercanbe

configured.Thischeckonlyappliesto

ARPresponses,sincethetargetMACaddressis

unspecifiedinARPrequests.

YoucanalsoenableIPaddresschecking.Whenthisoptionisenabled,DAIdropsARPpackets

withaninvalidIPaddress.ThefollowingIPaddressesareconsideredinvalid:

• 0.0.0.0

• 255.255.255.255

•AllIPmulticastaddresses

•AllclassEaddresses(240.0.0.0/4)

Table of Contents

Other manuals for Enterasys SecureStack C2 C2G170-24

Hardware Installation Guide74 pages

Related product manuals

Preview: SecureStack C2 C2G124-24

SecureStack C2 C2G124-24

Preview: Enterasys SecureStack C2

Enterasys SecureStack C2

Preview: SecureStack A2 A2H124-24

SecureStack A2 A2H124-24

Preview: SecureStack B3 B3G124-48

SecureStack B3 B3G124-48

SecureStack A2 A2H254-16

Preview: SecureStack B3 B3G124-24P

SecureStack B3 B3G124-24P

Preview: SecureStack B2 B2G124-48P

SecureStack B2 B2G124-48P

Enterasys SSA-G1018-0652

Preview: Enterasys C3G124-24

Enterasys C3G124-24

Preview: Enterasys B5G124-24

Enterasys B5G124-24

Preview: Enterasys 08H20G4-24

Enterasys 08H20G4-24

Preview: Enterasys Matrix-V V2H124-24

Enterasys Matrix-V V2H124-24