Enterasys Networks 9034313-07 manual Functional Description, Static Mappings

Dynamic ARP Inspection Overview

intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting neighbors. ARP poisoning is a tactic where an attacker injects false ARP packets into the subnet, normally by broadcasting ARP responses in which the attacker claims to be someone else. By poisoning the ARP cache, a malicious user can intercept the traffic intended for other hosts on the network.

The Dynamic ARP Inspection application performs ARP packet validation. When DAI is enabled, it verifies that the sender MAC address and the source IP address are a valid pair in the DHCP snooping binding database and drops ARP packets whose sender MAC address and sender IP address do not match an entry in the database. Additional ARP packet validation can be configured.

If DHCP snooping is disabled on the ingress VLAN or the receive interface is trusted for DHCP snooping, ARP packets are dropped.

Functional Description

DAI is enabled on VLANs, effectively enabling DAI on the interfaces (physical ports or LAGs) that are members of that VLAN. Individual interfaces are configured as trusted or untrusted. The trust configuration for DAI is independent of the trust configuration for DHCP snooping. A trusted port is a port the network administrator does not consider to be a security threat. An untrusted port is one which could potentially be used to launch a network attack.

DAI considers all physical ports and LAGs untrusted by default.

Static Mappings

Static mappings are useful when hosts configure static IP addresses, DHCP snooping cannot be run, or other switches in the network do not run dynamic ARP inspection. A static mapping associates an IP address to a MAC address on a VLAN. DAI consults its static mappings before it consults DHCP snooping — thus, static mappings have precedence over DHCP snooping bindings.

ARP ACLs are used to define static mappings for DAI. In this implementation, only the subset of ARP ACL syntax required for DAI is supported. ARP ACLs are completely independent of ACLs used for QoS. A maximum of 100 ARP ACLs can be configured. Within an ACL, a maximum of 20 rules can be configured.

Optional ARP Packet Validation

If optional ARP packet validation has been configured, DAI verifies that the sender MAC address equals the source MAC address in the Ethernet header. Additionally, the option to verify that the target MAC address equals the destination MAC address in the Ethernet header can be configured. This check only applies to ARP responses, since the target MAC address is unspecified in ARP requests.

You can also enable IP address checking. When this option is enabled, DAI drops ARP packets with an invalid IP address. The following IP addresses are considered invalid:

•0.0.0.0

•255.255.255.255

•All IP multicast addresses

•All class E addresses (240.0.0.0/4)

•Loopback addresses (in the range 127.0.0.0/8)

17-16 DHCP Snooping and Dynamic ARP Inspection