a.Man-in-the-middle attack

Switch

Host A

Host C

IP_ A

IP_C

MAC_ A

MAC_C

Forged

Forged

ARP reply

ARP reply

Host B

IP_B

MAC_B

ARP detection mechanism

With ARP detection enabled for a specific VLAN, ARP messages arrived on any interface in the VLAN are redirected to the CPU to have their MAC and IP addresses checked. ARP messages that pass the check are forwarded, and other ARP messages are discarded.

Table 95 ARP detection based on DHCP snooping entries/802.1X security entries/static IP-to-MAC bindings

With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet received from the VLAN against the DHCP snooping entries, 802.1X security entries, or static IP-to-MAC binding entries. You can specify a detection type or types as needed.

After you enable ARP detection based on DHCP snooping entries for a VLAN,

Upon receiving an ARP packet from an ARP untrusted port, the device compares the ARP packet against the DHCP snooping entries. If a match is found, that is, the parameters (such as IP address, MAC addresses, port index, and VLAN ID) are consistent, the ARP packet passes the check; if not, the ARP packet cannot pass the check.

Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP packet.

If ARP detection is not enabled for the VLAN, the ARP packet is not checked even if it is received from an ARP untrusted port.

After you enable ARP detection based on 802.1X security entries, the device, upon receiving an ARP packet from an ARP untrusted port, compares the ARP packet against the 802.1X security entries.

If an entry with identical source IP and MAC addresses, port index, and VLAN ID is found, the ARP packet is considered valid.

If an entry with no matching IP address but with a matching OUI MAC address is found, the ARP packet is considered valid.

Otherwise, the packet is considered invalid and discarded.

316

Page 328
Image 328
HP V1910 manual ARP detection mechanism, Man-in-the-middle attack, 316