Configuring Device Security
Defining Dynamic ARP Inspection
ESW 500 Series Switches Administration Guide 202
-
VLAN
— Indicates that DHCP Snooping is not enabled on the VLAN.
-
Trus ted Por t
— Indicates the port is a trusted port.
-
Resource Problem
— Indicates that the TCAM is full.
STEP4 Define the relevant fields. Click Apply and the device is updated.
Defining Dynamic ARP InspectionDynamic Address Resolution Protocol
(ARP) is a TCP/IP protocol for translating IP
addresses into MAC addresses. Classic ARP does the following:
•Permits two hosts on the same network to communicates and send packets.
•Permits two hosts on different packets to communic ate via a gateway.
•Permits routers to send packets via a host to a different router on the same
network.
•Permits routers to send packets to a destination host via a local host.
ARP Inspection intercepts, discards, and logs ARP packets that contain invalid IP-
to-MAC address bindings. This eliminates man-in-the-middle attacks, where false
ARP packets are inserted into the subnet. Packets are classified as:
•Trus ted — Indicates that the interface IP and MAC address are recognized,
and recorded in the ARP Inspection List. Trusted packets are forward without
ARP Inspection.
•Untrusted — Indicates that the packet arrived from an interface that does not
have a recognized IP and MAC addresses. The packet is checked for:
-
Source MAC
— Compares the packet’s source MAC address in the
Ethernet header against the sender’s MAC address in the ARP request.
This check is performed on both ARP requests and responses.
-
Destination MAC
— Compares the packet’s destination MAC address in
the Ethernet header against the destination interface’s MAC address.
This check is performed for ARP responses.
-
IP Addresses
— Checks the ARP body for invalid and unexpected IP
addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP
Multicast addresses.