Dhcp, Dynamic arp inspection, Arp poisoning – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 331
DHCP
Supported DHCP packet inspection and tracking features
Lists DHCP packet inspection and tracking features supported on FastIron devices.
The following table lists individual Brocade switches and the Dynamic Host Configuration Protocol
(DHCP) packet inspection and tracking features they support. These features are supported in the
Layer 2 and Layer 3 software images, except where explicitly noted.
Feature
ICX 6430
ICX 6450
FCX
ICX 6610
ICX 6650
FSX 800
FSX 1600
ICX 7750
Dynamic ARP inspection
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.10
DHCP snooping
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.10
DHCP relay agent information (DHCP
Option 82)
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.10
Port statistics
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.10
IP source guard
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.01
08.0.10
Dynamic ARP inspection
For enhanced network security, you can configure the Brocade device to inspect and keep track of
Dynamic Host Configuration Protocol (DHCP) assignments.
Dynamic ARP Inspection (DAI) enables the Brocade device to intercept and examine all ARP request
and response packets in a subnet and discard those packets with invalid IP to MAC address bindings.
DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning, and disallow
mis-configuration of client IP addresses.
ARP poisoning
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a
MAC address. Before a host can talk to another host, it must map the IP address to a MAC address
first. If the host does not have the mapping in its ARP table, it creates an ARP request to resolve the
FastIron Ethernet Switch Security Configuration Guide
331
53-1003088-03