Cisco 350 Series Administration Manual page 503

17
360
The following shows an example of ARP cache poisoning.
ARP Cache Poisoning
Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the
same subnet. Their IP, MAC addresses are shown in parentheses; for example, Host A uses IP
address IA and MAC address MA. When Host A needs to communicate with Host B at the IP
layer, it broadcasts an ARP request for the MAC address associated with IP address IB. Host B
responds with an ARP reply. The switch and Host A update their ARP cache with the MAC
and IP of Host B.
Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged
ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of
MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC
address for traffic intended for IA or IB, which enables Host C intercepts that traffic. Because
Host C knows the true MAC addresses associated with IA and IB, it can forward the
intercepted traffic to those hosts by using the correct MAC address as the destination. Host C
has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the-middle
attack.
This section describes ARP Inspection and covers the following topics:
• How ARP Prevents Cache Poisoning
• Interaction Between ARP Inspection and DHCP Snooping
• ARP Defaults
• ARP Inspection Work Flow
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4
Security
ARP Inspection