How Arp Prevents Cache Poisoning - Cisco 220 Series Smart Plus Administration Manual

Hide thumbs Also See for 220 Series Smart Plus:

Reference manual (582 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

page of 287

/ 287
Contents
Table of Contents
Bookmarks

Table of Contents

Configuring Security

Configuring Dynamic ARP Inspection

Cisco 220 Series Smart Plus Switches Administration Guide Release 1.0.0.x

How ARP Prevents Cache Poisoning

The ARP inspection feature relates to interfaces as either trusted or untrusted (see

Security > ARP Inspection > Interface Settings page).

Interfaces are classified by the user as follows:

•

Trusted—Packets are not inspected.

•

Untrusted—Packets are inspected as described above.

ARP inspection is performed only on untrusted interfaces. ARP packets that are

received on the trusted interface are simply forwarded.

Upon packet arrival on untrusted interfaces the following logic is implemented:

•

Search the ARP access control rules for the packet's IP/MAC addresses. If

the IP address is found and the MAC address in the list matches the

packet's MAC address, then the packet is valid; otherwise it is not.

•

If the packet's IP address was not found, and DHCP Snooping is enabled for

the packet's VLAN, search the DHCP Snooping Binding database for the

packet's <VLAN - IP address> pair. If the <VLAN - IP address> pair was

found, and the MAC address and the interface in the database match the

packet's MAC address and ingress interface, the packet is valid.

•

If the packet's IP address was not found in the ARP access control rules or

in the DHCP Snooping Binding database the packet is invalid and is

dropped. A SYSLOG message is generated.

•

If a packet is valid, it is forwarded and the ARP cache is updated.

If the ARP Packet Validation option is selected (on the Properties page), the

following additional validation checks are performed:

•

Source MAC Address—Compares the packet's source MAC address in the

Ethernet header against the sender's MAC address in the ARP request. This

check is performed on both ARP requests and responses.

•

Destination MAC Address—Compares the packet's destination MAC

address in the Ethernet header against the destination interface's MAC

address. This check is performed for ARP responses.

•

IP Address—Compares the ARP body for invalid and unexpected IP

addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast

addresses.

Packets with invalid ARP Inspection bindings are logged and dropped.

219

Table of Contents

How Arp Prevents Cache Poisoning - Cisco 220 Series Smart Plus Administration Manual

How ARP Prevents Cache Poisoning

Related Manuals for Cisco 220 Series Smart Plus

Related Content for Cisco 220 Series Smart Plus

Table of Contents