Enterasys Networks 9034313-07 Functional Description

Dynamic ARP Inspection Overview

17-16 DHCP Snooping and Dynamic ARP Inspection

interceptstrafficforotherstationsbypoisoningtheARPcachesofitsunsuspectingneighbors.

ARPpoisoningisatacticwhereanattackerinjectsfalseARPpacketsintothesubnet,normallyby

broadcastingARPresponsesinwhichtheattackerclaimstobesomeoneelse.Bypoisoningthe

ARPcache,amalicioususercaninterceptthetrafficintendedforotherhostsonthenetwork.

TheDynamicARPInspectionapplicationperformsARPpacketvalidation .WhenDAIisenabled,

itverifiesthatthesenderMACaddressandthesourceIPaddressareavalidpairintheDHCP

snoopingbindingdatabaseanddropsARPpacketswhosesenderMACaddressandsenderIP

addressdonotmatchanentryinthedatabase.AdditionalARPpacketvalidation canbe

configured.

IfDHCPsnoopingisdisabledontheingressVLANorthereceiveinterfaceistrustedforDHCP

snooping,ARPpacketsaredropped.

Functional Description

DAIisenabledonVLANs,effectivelyenablingDAIontheinterfaces(physicalportsorLAGs)that

aremembersofthatVLAN.Individualinterfacesareconfiguredastrustedoruntrusted.Thetrust

configurationforDAIisindependentofthetrustconfigurationforDHCPsnooping.Atrusted

portisaportthenetworkadministratordoesnotconsidertobeasecuritythreat.Anuntrusted

portisonewhichcouldpotentiallybeusedtolaunchanetworkattack.

DAIconsidersallphysicalportsandLAGsuntrustedbydefault.

StaticmappingsareusefulwhenhostsconfigurestaticIPaddresses,DHCPsnoopingcannotbe

run,orotherswitchesinthenetworkdonotrundynamicARPinspection.Astaticmapping

associatesanIPaddresstoaMACaddressonaVLAN.DAIconsultsitsstaticmappingsbeforeit

consultsDHCPsnooping—thus,staticmappingshaveprecedenceoverDHCPsnooping

bindings.

ARPACLsareusedtodefinestaticmappingsforDAI.Inthisimplementation,onlythesubsetof

ARPACLsyntaxrequiredforDAIissupported.ARPACLsarecompletelyindependentofACLs

usedforQoS.Amaximumof100ARPACLscanbeconfigured.WithinanACL,amaximumof20

rulescanbeconfigured.

IfoptionalARPpacketvalidatio nhasbeenconfigured,DAIverifiesthatthesenderMACaddress

equalsthesourceMACaddressintheEthernetheader.Additionally,theoptiontoverifythatthe

targetMACaddressequalsthedestinationMACaddressintheEthernetheadercanbe

configured.ThischeckonlyappliestoARPresponses,sincethetargetMACaddressis

unspecifiedinARPrequests.

YoucanalsoenableIPaddresschecking.Whenthisoptionisenabled,DAIdropsARPpackets

withaninvalidIPaddress.ThefollowingIPaddressesareconsideredinvalid:

• 0.0.0.0

• 255.255.255.255

•AllIPmulticastaddresses

•AllclassEaddresses(240.0.0.0/4)

• Loopbackaddresses(intherange127.0.0.0/8)