22-2
Catalyst 3560 Switch Software Configuration Guide
OL-8553-06
Chapter 22 Configuring Dynamic ARP Inspection
Understanding Dynamic ARP Inspection
Figure 22-1 ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same
subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA
and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an
ARP request for the MAC address associated with IP address IB. When the switch and Host B receive
the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA
and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B
responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address
IB and the MAC address MB.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP
responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts
with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended
for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC
addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the
correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to
Host B, the classic man-in-the middle attack.
Dynamic ARP inspection is a security feature that validates ARP packets in a network. It intercepts,
logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the
network from certain man-in-the-middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch
performs these activities:
Intercepts all ARP requests and responses on untrusted ports
Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet to the appropriate destination
Drops invalid ARP packets
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address
bindings stored in a trusted database, the DHCP snooping binding database. This database is built by
DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is
received on a trusted interface, the switch forwards the packet without any checks. On untrusted
interfaces, the switch forwards the packet only if it is valid.
You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan
vlan-range global configuration command. For configuration information, see the “Configuring
Dynamic ARP Inspection in DHCP Environments” section on page 22-7.
In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured
ARP access control lists (ACLs) for hosts with statically configured IP addresses. You define an ARP
ACL by using the arp access-list acl-name global configuration command. For configuration
information, see the “Configuring ARP ACLs for Non-DHCP Environments” section on page 22-8. The
switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped
Packets” section on page 22-4.
AB
C
Host A
(IA, MA)
Host B
(IB, MB)
Host C (man-in-the-middle)
(IC, MC)
111750