About dynamic arp inspection – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

mapping. All computers on the subnet will receive and process the ARP requests, and the host whose
IP address matches the IP address in the request will send an ARP reply.

An ARP poisoning attack can target hosts, switches, and routers connected to the Layer 2 network by
poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for
other hosts on the subnet. For instance, a malicious host can reply to an ARP request with its own
MAC address, thereby causing other hosts on the same subnet to store this information in their ARP
tables or replace the existing ARP entry. Furthermore, a host can send gratuitous replies without
having received any ARP requests. A malicious host can also send out ARP packets claiming to have
an IP address that actually belongs to another host (e.g. the default router). After the attack, all traffic
from the device under attack flows through the attacker computer and then to the router, switch, or
host.

About Dynamic ARP Inspection

Dynamic ARP Inspection (DAI) allows only valid ARP requests and responses to be forwarded.

A Brocade device on which DAI is configured does the following:

• Intercepts ARP packets received by the system CPU
• Inspects all ARP requests and responses received on untrusted ports
• Verifies that each of the intercepted packets has a valid IP-to-MAC address binding before updating

the local ARP table, or before forwarding the packet to the appropriate destination

• Drops invalid ARP packets

When you enable DAI on a VLAN, by default, all member ports are untrusted. You must manually
configure trusted ports. In a typical network configuration, ports connected to host ports are untrusted.
You configure ports connected to other switches or routers as trusted.

DAI inspects ARP packets received on untrusted ports, as shown in the Dynamic ARP inspection at
work figure. DAI carries out the inspection based on IP-to-MAC address bindings stored in a trusted
binding database. For the Brocade device, the binding database is the ARP table, which supports DAI,
DHCP snooping, and IP Source Guard. To inspect an ARP request packet, DAI checks the source IP
and source MAC address against the ARP table. For an ARP reply packet, DAI checks the source IP,
source MAC, destination IP, and destination MAC addresses. DAI forwards the valid packets and
discards those with invalid IP-to-MAC address bindings.

When ARP packets reach a trusted port, DAI lets them through, as shown in the following figure.

About Dynamic ARP Inspection

332

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03