36 configuring arp inspection – CANOGA PERKINS CanogaOS Configuration Guide User Manual

Page 303

Advertising
background image

CanogaOS Configuration Guide

Proprietary & Confidential Canoga Perkins Metro Ethernet Switches

Page 303 of 350

36 Configuring ARP Inspection

ARP inspection is a security feature that validates ARP packets in a network. ARP inspection
intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This
capability protects the network from some man-in-the-middle attacks. ARP inspection ensures
that only valid ARP requests and responses are relayed. The switch performs these activities:
• Intercepts all ARP requests and responses on untrusted ports.
• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before
updating the local ARP cache or before forwarding the packet to the appropriate destination.
• Drops invalid ARP packets.
• ARP inspection determines the validity of an ARP packet based on valid IP-to-MAC address
bindings stored in a trusted database, the DHCP snooping binding database. This database is
built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the switch. If the
ARP packet is received on a trusted interface, the switch forwards the packet without any checks.
On untrusted interfaces, the switch forwards the packet only if it is valid.

36.1.1 Terminology
Following is a brief description of terms and concepts used to describe the ARP Inspection:

DHCP Snooping

DHCP snooping is a security feature that acts like a firewall between untrusted hosts and trusted
DHCP servers. This feature builds and maintains the DHCP snooping binding database, which
contains information about untrusted hosts with leased IP addresses.

Address Resolution Protocol (ARP)

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address
to a MAC address. For example, Host B wants to send information to Host A but does not have
the MAC address of Host A in its ARP cache. Host B generates a broadcast message for all hosts
within the broadcast domain to obtain the MAC address associated with the IP address of Host
A. All hosts within the broadcast domain receive the ARP request, and Host A responds with its
MAC address.

36.1.2 Topology

Advertising
Popular Brands
Popular manuals