Cisco Systems IE 2000

26-2

Cisco IE 2000 Switch Software Configuration Guide

OL-25866-01

Chapter 26 Configuring Dynamic ARP Inspection

Information About Dynamic ARP Inspection

because ARP allows a gratuitous reply from a host even if an ARP request was not received, an ARP

spoofing attack and the poisoning of ARP caches can occur. After the attack, all traffic from the device

under attack flows through the attacker’s computer and then to the router, switch, or host.

A malicious user can attack hosts, switches, and routers connected to you r Layer 2 network by poisoning

the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts

on the subnet. Figure 26-1 shows an example of ARP cache poisoning.

Figure 26-1 ARP Cache Poisoning

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same

subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA

and MAC address MA. When Host A needs to communicate to Host B a t the IP layer, it broadcasts an

ARP request for the MAC address associated with IP address IB. When the switch and Host B receive

the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA

and a MAC address MA; for example, IP address IA is bound to MAC address MA. W hen Host B

responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address

IB and the MAC address MB.

Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP

responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts

with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended

for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC

addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the

correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to

Host B, the classic man-in-the middle attack.

DAI is a security feature that validates ARP packets in a network. It intercepts, logs, and discards ARP

packets with invalid IP-to-MAC address bindings. This capability protects the network from certain

man-in-the-middle attacks.

DAI ensures that only valid ARP requests and responses are relayed. The switch performs these

activities:

• Intercepts all ARP requests and responses on untrusted ports

• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before

updating the local ARP cache or before forwarding the packet to the appropriate destination

• Drops invalid ARP packets

DAI determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a

trusted database, the DHCP snooping binding database. This database is built by DHCP snooping if

DHCP snooping is enabled on the VLANs and on the switch. If the ARP packet is received on a trusted

interface, the switch forwards the packet without any checks. On untrusted interfaces, the switch

forwards the packet only if it is valid.

Host A

(IA, MA)

Host B

(IB, MB)

Host C (man-in-the-middle)

(IC, MC)

111750