C H A P T E R 23

Configuring Dynamic ARP Inspection

This chapter describes how to configure dynamic Address Resolution Protocol inspection (dynamic ARP inspection) on the Catalyst 3750-E or 3560-E switch. This feature helps prevent malicious attacks on the switch by not relaying invalid ARP requests and responses to other ports in the same VLAN. Unless otherwise noted, the term switch refers to a Catalyst 3750-E or 3560-E standalone switch and to a Catalyst 3750-E switch stack.

Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.

This chapter consists of these sections:

Understanding Dynamic ARP Inspection, page 23-1

Configuring Dynamic ARP Inspection, page 23-5

Displaying Dynamic ARP Inspection Information, page 23-14

Understanding Dynamic ARP Inspection

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, Host B wants to send information to Host A but does not have the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of Host A. All hosts within the broadcast domain receive the ARP request, and Host A responds with its MAC address. However, because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.

A malicious user can attack hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure 23-1shows an example of ARP cache poisoning.

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

OL-9775-02

23-1

 

 

 

Page 539
Image 539
Cisco Systems 3750E manual Configuring Dynamic ARP Inspection, Understanding Dynamic ARP Inspection, 23-1