Linksys SGE2000 Cisco Small Business SFE/SGE2xxx Series Managed Switches Admin - Page 150
Defining Dynamic ARP Inspection, Dynamic Address Resolution Protocol, Source MAC, Destination MAC
UPC - 745883572120
View all Linksys SGE2000 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 150 highlights
Configuring Device Security Defining Dynamic ARP Inspection - Resource Problem - Indicates that the TCAM is full. STEP 4 Click Apply. The device is updated. 4 Defining Dynamic ARP Inspection Dynamic Address Resolution Protocol (ARP) is a TCP/IP protocol for translating IP addresses into MAC addresses. Classic ARP does the following: • Permits two hosts on the same network to communicates and send packets. • Permits two hosts on different packets to communicate via a gateway. • Permits routers to send packets via a host to a different router on the same network. • Permits routers to send packets to a destination host via a local host. ARP Inspection intercepts, discards, and logs ARP packets that contain invalid IPto-MAC address bindings. This eliminates man-in-the-middle attacks, where false ARP packets are inserted into the subnet. Packets are classified as: • Trusted - Indicates that the interface IP and MAC address are recognized, and recorded in the ARP Inspection List. Trusted packets are forward without ARP Inspection. • Untrusted - Indicates that the packet arrived from an interface that does not have a recognized IP and MAC addresses. The packet is checked for: - Source MAC - Compares the packet's source MAC address in the Ethernet header against the sender's MAC address in the ARP request. This check is performed on both ARP requests and responses. - Destination MAC - Compares the packet's destination MAC address in the Ethernet header against the destination interface's MAC address. This check is performed for ARP responses. - IP Addresses - Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast addresses. If the packet's IP address was not found in the ARP Inspection List, and DHCP snooping is enabled for a VLAN, a search of the DHCP Snooping Database is performed. If the IP address is found, the packet is valid and is forwarded. Cisco Small Business SFE/SGE Managed Switches Administration Guide 141