Arp detection mechanism – H3C Technologies H3C WX6000 Series Access Controllers User Manual

Page 168

Advertising
background image

23-2

Figure 23-1 Man-in-the-middle attack

Host A

Host B

IP_ A

MAC_ A

IP_B

MAC_B

IP_C

MAC_C

Host C

Forged

ARP reply

Forged

ARP reply

Device

ARP detection mechanism

With ARP detection enabled for a specific VLAN, ARP messages arriving on any interface in the VLAN

are redirected to the CPU to have their sender MAC and IP addresses checked. ARP messages that

pass the check are forwarded; otherwise, they are discarded.

1) ARP detection based on static IP Source Guard binding entries/DHCP snooping entries/802.1X

security entries/OUI MAC addresses

With this feature enabled, the device compares the sender IP and MAC addresses of an ARP packet

received from the VLAN against the static IP Source Guard binding entries, DHCP snooping entries,

802.1X security entries, or OUI MAC addresses to prevent spoofing.

After you enable this feature for a VLAN,

Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP

and MAC addresses of the ARP packet against the static IP Source Guard binding entries. If a

match is found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP

address but an unmatched MAC address is found, the ARP packet is considered invalid and is

discarded. If no entry with a matching IP address is found, the device compares the ARP packet's

sender IP and MAC addresses against the DHCP snooping entries, 802.1X security entries, and

OUI MAC addresses.

If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. ARP

detection based on OUI MAC addresses refers to that if the sender MAC address of the received

ARP packet is an OUI MAC address, the packet is considered valid.

If no match is found, the ARP packet is considered invalid and is discarded.

Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP

packet.

2) ARP detection based on specified objects

You can also specify objects in ARP packets to be detected. The objects involve:

Advertising
This manual is related to the following products:

H3C WX5000 Series Access Controllers, H3C WX3000 Series Unified Switches, H3C LSWM1WCM10 Access Controller Module, H3C LSWM1WCM20 Access Controller Module, H3C LSQM1WCMB0 Access Controller Module, H3C LSRM1WCM2A1 Access Controller Module, H3C LSBM1WCM2A0 Access Controller Module

Popular Brands
Popular manuals