beautypg.com

37 configuring arp inspection, 1 overview, 2 terminology – CANOGA PERKINS 9175 Configuration Guide User Manual

Page 243: 3 topology

background image

CanogaOS Configuration Guide

37-1

37 Configuring ARP Inspection

37.1 Overview

ARP inspection is a security feature that validates ARP packets in a network. ARP
inspection intercepts, logs, and discards ARP packets with invalid IP-to-MAC address
bindings. This capability protects the network from some man-in-the-middle attacks.
ARP inspection ensures that only valid ARP requests and responses are relayed. The
switch performs these activities:

• Intercepts all ARP requests and responses on untrusted ports.

• Verifies that each of these intercepted packets has a valid IP-to-MAC address

binding before updating the local ARP cache or before forwarding the packet to
the appropriate destination.

• Drops invalid ARP packets.

• ARP inspection determines the validity of an ARP packet based on valid

IP-to-MAC address bindings stored in a trusted database, the DHCP snooping
binding database. This database is built by DHCP snooping if DHCP snooping is
enabled on the VLANs and on the switch. If the ARP packet is received on a
trusted interface, the switch forwards the packet without any checks. On untrusted
interfaces, the switch forwards the packet only if it is valid.

37.2 Terminology

Following is a brief description of terms and concepts used to describe the ARP
Inspection:

DHCP Snooping
DHCP snooping is a security feature that acts like a firewall between untrusted hosts and
trusted DHCP servers. This feature builds and maintains the DHCP snooping binding
database, which contains information about untrusted hosts with leased IP addresses.

Address Resolution Protocol (ARP)
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP
address to a MAC address. For example, Host B wants to send information to Host A but
does not have the MAC address of Host A in its ARP cache. Host B generates a
broadcast message for all hosts within the broadcast domain to obtain the MAC address
associated with the IP address of Host A. All hosts within the broadcast domain receive
the ARP request, and Host A responds with its MAC address.

37.3 Topology

See also other documents in the category CANOGA PERKINS Computer hardware: