Dynamic ARP inspection
determines the validity of packets by performing an IP-to-MAC address binding inspection stored in a trusted
database, (the DHCP snooping binding database) before forwarding the packet to the appropriate destination.
Dynamic ARP inspection will drop all ARP packets with invalid IP-to-MAC address bindings that fail the
inspection. The DHCP snooping binding database is built when the DHCP snooping feature is enabled on the
VLANs and on the switch.
Note
Dynamic ARP inspection inspects inbound packets only; it does not check outbound packets.
Figure 4-5a shows an example of an attacker attempting to spoof and hijack traffic for an important address (a
default gateway in this example) by broadcasting to all hosts spoofing the MAC address of the router (using a
gratuitous ARP). This will poison ARP cache entries (create an invalid ARP entry) on Host A and Host B, resulting
in data being redirected to the wrong destination. Because of the poisoned entries, when Host A sends data
destined for the router, it is incorrectly sent to the attacker instead. Dynamic ARP inspection locks down the IPMAC
mapping for hosts so that the attacking ARP is denied and logged.
Figure 4-5a.
Pages:
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194