19-2
Cisco ME 3400 EthernetAccess Switch SoftwareConfiguration Guide
78-17058-01
Chapter19 Configuring Dynamic ARP Inspection
Understanding Dynamic ARP Inspection
Figure19-1 ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same
subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA
and MAC address MA. When Host A needs to communicate to Host B a t t he I P l aye r, it broadc asts an
ARP request for the MAC address associated with IP address IB. When the switch and Host B receive
the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA
and a MAC address MA; for example, IP address IA is bound to MAC address MA. W he n Ho st B
responds, the switch and Host A populate their ARP caches with a bindin g for a host with th e IP a ddress
IB and the MAC address MB.
Host C can poison the ARP caches of the switch, Host A, and Host B by broa dcast ing fo rged ARP
responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts
with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended
for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC
addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the
correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to
Host B, the classic man-in-the middle attack.
Dynamic ARP inspection is a security feature that validates ARP packets in a ne twork. It interc epts, logs,
and discards ARP packets with invalid IP-to-MAC address bindings. This ca pability protects the netw ork
from certain man-in-the-middle attacks.
Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch
performs these activities:
Intercepts all ARP requests and responses on untrusted ports
Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet to the appropriate destination
Drops invalid ARP packets
Dynamic ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address
bindings stored in a trusted database, the DHCP snooping binding database. This database is built by
DHCP snooping if DHCP snooping is enabled on the VLANs and on the swi tch . If the ARP pa cket is
received on a trusted interface, the switch forwards the packet without any checks. On untrusted
interfaces, the switch forwards the packet only if it is valid.
You enable dynamic ARP inspection on a per-VLAN basis by using the ip arp inspection vlan
vlan-range global configuration command. For configuration information, see the “Configuring
Dynamic ARP Inspection in DHCP Environments” section on page 19-7.
In non-DHCP environments, dynamic ARP inspection can validate ARP packets against user-configured
ARP access control lists (ACLs) for hosts with statically configured IP addresses. You define an ARP
ACL by using the arp access-list acl-name global configuration command. For configuration
information, see the “Configuring ARP ACLs for Non-DHCP Environments” section on page 19-8. The
switch logs dropped packets. For more information about the log buffer, see the “Logging of Dropped
Packets” section on page 19-4.
AB
C
Host A
(IA, MA) Host B
(IB, MB)
Host C (man-in-the-middle)
(IC, MC)
111750