Security
ARP Inspection
374 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
18
The following shows an example of ARP cache poisoning.

ARP Cache Poisoning

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which
are on the same subnet. Their IP, MAC addresses are shown in parentheses; for
example, Host A uses IP address IA and MAC address MA. When Host A needs to
communicate w ith Host B at the IP layer, it broad casts an ARP re quest for the M AC
address associated with IP address IB. Host B responds with an ARP reply. The
switch and Host A update their ARP cache with the MAC and IP of Host B.
Host C can poison the ARP caches of the switch, Host A, and Host B by
broadcasting forged ARP responses with bindings for a host with an IP address of
IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the
MAC address MC as the destination MAC address for traffic intended for IA or IB,
which enables Host C intercepts that traffic. Because Host C knows the true MAC
addresses associated with IA and IB, it can forward the intercepted traffic to those
hosts by using the correct MAC address as the destination. Host C has inserted
itself into the traffic stream from Host A to Host B, the classic man-in-the-middle
attack.
How ARP Prevents Cache Poisoning
The ARP inspection feature relates to interfaces as either trusted or untrusted (see
Security > ARP Inspection > Interface Setting page).
Interfaces are classified by the user as follows: