Arp inspection, Configuring arp inspection – LevelOne FGL-2870 User Manual

Page 190

Advertising
background image

Configuring the Switch

3-136

3

CLI – This example assigns an IP access list to port 1, and an IP access list to
port 3.

ARP Inspection

ARP Inspection is a security feature that validates the MAC Address bindings for
Address Resolution Protocol packets. It provides protection against ARP traffic with
invalid MAC-to-IP address bindings, which forms the basis for certain
“man-in-the-middle” attacks. This is accomplished by intercepting all ARP requests
and responses and verifying each of these packets before the local ARP cache is
updated or the packet is forwarded to the appropriate destination. Invalid ARP
packets are dropped.

ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC
address bindings stored in a trusted database – the DHCP snooping binding
database (see "DHCP Snooping Configuration" on page 3-144). This database is
built by DHCP snooping if it is enabled on globally on the switch and on the VLANs.
ARP Inspection can also validate ARP packets against user-configured ARP access
control lists (ACLs) for hosts with statically configured addresses (see "Configuring
an ARP ACL" on page 3-133).

Configuring ARP Inspection

ARP Inspection must be activated both globally for the switch and per VLAN, and
inspection parameters set for each VLAN. These functions, as well as logging and
configuration of trusted ports are provided on the ARP Inspection Configuration
page. ARP Inspection ACLs must be configured on the ARP ACL page before they
can be activated here (see page 3-133).

Command Usage

Enabling & Disabling ARP Inspection
• ARP Inspection is controlled on a global and VLAN basis.
• By default, ARP Inspection is disabled globally.
• By default, ARP Inspection is disabled on all VLANs.

- If ARP Inspection is globally enabled, then it becomes active only on the VLANs

where it has been enabled.

- When ARP Inspection is enabled globally, all ARP request and reply packets on

inspection-enabled VLANs are redirected to the CPU and their switching
behavior handled by the ARP Inspection engine.

- If ARP Inspection is disabled globally, then it becomes inactive for all VLANs,

including those where inspection is enabled.

Console(config)#interface ethernet 1/1

4-220

Console(config-if)#ip access-group david in

4-204

Console(config-if)#exit
Console(config)#interface ethernet 1/3
Console(config-if)#ip access-group david in
Console(config-if)#

Advertising
Popular Brands
Popular manuals