Home » Cisco Manuals » Networking » Cisco WS-SUP32-GE-3B » Manual Viewer

Cisco WS-SUP32-GE-3B Software Configuration Guide - Page 506

Understanding ARP Spoofing Attacks, Understanding DAI and ARP Spoofing Attacks

UPC - 882658006777

View all Cisco WS-SUP32-GE-3B manuals

Add to My Manuals
Save this manual to your list of manuals

Page 506 highlights

Understanding DAI Chapter 35 Configuring Dynamic ARP Inspection Understanding ARP Spoofing Attacks ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host. An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. Figure 35-1 shows an example of ARP cache poisoning. Figure 35-1 Host A (IA, MA) ARP Cache Poisoning A B C Host B (IB, MB) 111750 Host C (man-in-the-middle) (IC, MC) Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. When the switch and Host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB. Host C can poison the ARP caches of the switch for Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, which is the topology of the classic man-in-the middle attack. Understanding DAI and ARP Spoofing Attacks DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from some man-in-the-middle attacks. DAI ensures that only valid ARP requests and responses are relayed. The switch performs these activities: • Intercepts all ARP requests and responses on untrusted ports • Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination • Drops invalid ARP packets 35-2 Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY OL-11439-03

Section	Page
Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide	1
Contents	3
Preface	29
Audience	29
Related Documentation	29
Conventions	30
Product Overview	33
Supported Hardware and Software	33
User Interfaces	33
Configuring Embedded CiscoView Support	34
Understanding Embedded CiscoView	34
Installing and Configuring Embedded CiscoView	34
Displaying Embedded CiscoView Information	35
Software Features Supported in Hardware by the PFC3B	35
Command-Line Interfaces	39
Accessing the CLI	39
Accessing the CLI through the EIA/TIA-232 Console Interface	40
Accessing the CLI through Telnet	40
Performing Command Line Processing	41
Performing History Substitution	41
Cisco IOS Command Modes	42
Displaying a List of Cisco IOS Commands and Syntax	43
Securing the CLI	44
ROM-Monitor Command-Line Interface	45
Configuring the Switch for the First Time	47
Default Configuration	47
Configuring the Switch	48
Using the Setup Facility or the setup Command	48
Setup Overview	48
Configuring the Global Parameters	49
Configuring Interfaces	54
Using Configuration Mode	56
Checking the Running Configuration Before Saving	56
Saving the Running Configuration Settings	57
Reviewing the Configuration	57
Configuring a Static Route	57
Configuring a BOOTP Server	59
Protecting Access to Privileged EXEC Commands	60
Setting or Changing a Static Enable Password	60
Using the enable password and enable secret Commands	61
Setting or Changing a Line Password	61
Setting TACACS+ Password Protection for Privileged EXEC Mode	62
Encrypting Passwords	62
Configuring Multiple Privilege Levels	63
Setting the Privilege Level for a Command	63
Changing the Default Privilege Level for Lines	63
Logging In to a Privilege Level	64
Exiting a Privilege Level	64
Displaying the Password, Access Level, and Privilege Level Configuration	64
Recovering a Lost Enable Password	64
Modifying the Supervisor Engine Startup Configuration	65
Understanding the Supervisor Engine Boot Configuration	65
Understanding the Supervisor Engine Boot Process	65
Understanding the ROM Monitor	65
Configuring the Software Configuration Register	66
Modifying the Boot Field and Using the boot Command	67
Modifying the Boot Field	68
Verifying the Configuration Register Setting	69
Specifying the Startup System Image	69
Understanding Flash Memory	70
Flash Memory Features	70
Security Features	70
Flash Memory Configuration Process	70
CONFIG_FILE Environment Variable	71
Controlling Environment Variables	71
Configuring a Supervisor Engine 32 PISA	73
Flash Memory on a Supervisor Engine 32 PISA	74
Supervisor Engine 32 PISA Ports	74
Supervisor Engine 32 PISA Management Ports	74
Supervisor Engine 32 PISA Data Ports	74
Configuring Full PISA EtherChannel Bandwidth	75
Displaying PISA Platform Statistics	76
Cisco IOS Release 12.2(33)ZYA and earlier releases	77
Cisco IOS Release 12.2(33)ZYA1 and later releases	77
Configuring NSF with SSO Supervisor Engine Redundancy	79
Understanding NSF with SSO Supervisor Engine Redundancy	79
NSF with SSO Supervisor Engine Redundancy Overview	80
SSO Operation	80
NSF Operation	80
Cisco Express Forwarding	81
Multicast MLS NSF with SSO	81
Routing Protocols	82
BGP Operation	82
OSPF Operation	83
IS-IS Operation	83
IETF IS-IS Configuration	84
Cisco IS-IS Configuration	84
EIGRP Operation	85
NSF Benefits and Restrictions	85
Supervisor Engine Configuration Synchronization	87
Supervisor Engine Redundancy Guidelines and Restrictions	87
Redundancy Configuration Guidelines and Restrictions	87
Hardware Configuration Guidelines and Restrictions	87
Configuration Mode Restrictions	88
NSF Configuration Tasks	88
Configuring SSO	89
Configuring Multicast MLS NSF with SSO	89
Verifying Multicast NSF with SSO	90
Configuring CEF NSF	90
Verifying CEF NSF	90
Configuring BGP NSF	91
Verifying BGP NSF	91
Configuring OSPF NSF	92
Verifying OSPF NSF	92
Configuring IS-IS NSF	93
Verifying IS-IS NSF	94
Configuring EIGRP NSF	96
Verifying EIGRP NSF	96
Synchronizing the Supervisor Engine Configurations	97
Copying Files to the Redundant Supervisor Engine	97
Configuring RPR Supervisor Engine Redundancy	99
Understanding RPR	99
Supervisor Engine Redundancy Overview	100
RPR Operation	100
Supervisor Engine Configuration Synchronization	101
Supervisor Engine Redundancy Guidelines and Restrictions	101
Redundancy Guidelines and Restrictions	101
Hardware Configuration Guidelines and Restrictions	101
Configuration Mode Restrictions	102
Configuring Supervisor Engine Redundancy	102
Configuring Redundancy	102
Synchronizing the Supervisor Engine Configurations	103
Displaying the Redundancy States	103
Performing a Fast Software Upgrade	104
Copying Files to the Redundant Supervisor Engine	105
Configuring Interfaces	107
Understanding Interface Configuration	108
Using the Interface Command	108
Configuring a Range of Interfaces	110
Defining and Using Interface-Range Macros	111
Configuring Optional Interface Features	112
Configuring Ethernet Interface Speed and Duplex Mode	113
Speed and Duplex Mode Configuration Guidelines	113
Configuring the Ethernet Interface Speed	113
Setting the Interface Duplex Mode	114
Configuring Link Negotiation on Gigabit Ethernet Ports	114
Displaying the Speed and Duplex Mode Configuration	115
Configuring Jumbo Frame Support	116
Understanding Jumbo Frame Support	116
Jumbo Frame Support Overview	116
Bridged and Routed Traffic Size Check at Ingress 10, 10/100, and 100 Mbps Ethernet and 10-Gigabit Ethernet Ports	117
Bridged and Routed Traffic Size Check at Ingress Gigabit Ethernet Ports	117
Routed Traffic Size Check on the PFC3B	117
Bridged and Routed Traffic Size Check at Egress 10, 10/100, and 100 Mbps Ethernet Ports	117
Bridged and Routed Traffic Size Check at Egress Gigabit Ethernet and 10-Gigabit Ethernet Ports	117
Ethernet Ports	117
Ethernet Port Overview	117
Layer 3 Ethernet Ports	118
Layer 2 Ethernet Ports	118
VLAN Interfaces	118
Configuring MTU Sizes	118
Configuring the MTU Size	118
Configuring the Global Egress LAN Port MTU Size	119
Configuring IEEE 802.3x Flow Control	119
Configuring the Port Debounce Timer	120
Adding a Description for an Interface	121
Understanding Online Insertion and Removal	122
Monitoring and Maintaining Interfaces	122
Monitoring Interface Status	123
Clearing Counters on an Interface	123
Resetting an Interface	124
Shutting Down and Restarting an Interface	124
Checking the Cable Status Using the TDR	125
Configuring LAN Ports for Layer 2 Switching	127
Understanding How Layer 2 Switching Works	127
Understanding Layer 2 Ethernet Switching	127
Layer 2 Ethernet Switching Overview	128
Switching Frames Between Segments	128
Building the Address Table	128
Understanding VLAN Trunks	128
Trunking Overview	129
Encapsulation Types	129
Layer 2 LAN Port Modes	130
Default Layer 2 LAN Interface Configuration	131
Layer 2 LAN Interface Configuration Guidelines and Restrictions	131
Configuring LAN Interfaces for Layer 2 Switching	132
Configuring a LAN Port for Layer 2 Switching	133
Configuring a Layer 2 Switching Port as a Trunk	134
Configuring the Layer 2 Switching Port as an ISL or 802.1Q Trunk	134
Configuring the Layer 2 Trunk to Use DTP	135
Configuring the Layer 2 Trunk Not to Use DTP	135
Configuring the Access VLAN	136
Configuring the 802.1Q Native VLAN	136
Configuring the List of VLANs Allowed on a Trunk	137
Configuring the List of Prune-Eligible VLANs	137
Completing Trunk Configuration	138
Verifying Layer 2 Trunk Configuration	138
Configuration and Verification Examples	139
Configuring a LAN Interface as a Layer 2 Access Port	140
Configuring a Custom IEEE 802.1Q EtherType Field Value	141
Configuring Flex Links	143
Understanding Flex Links	143
Configuring Flex Links	144
Flex Links Default Configuration	144
Flex Links Configuration Guidelines and Restrictions	144
Configuring Flex Links	145
Monitoring Flex Links	145
Configuring EtherChannels	147
Understanding How EtherChannels Work	147
EtherChannel Feature Overview	147
Understanding How EtherChannels Are Configured	148
EtherChannel Configuration Overview	148
Understanding Manual EtherChannel Configuration	149
Understanding PAgP EtherChannel Configuration	149
Understanding IEEE 802.3ad LACP EtherChannel Configuration	149
Understanding Port Channel Interfaces	150
Understanding Load Balancing	150
EtherChannel Feature Configuration Guidelines and Restrictions	151
Configuring EtherChannels	152
Configuring Port Channel Logical Interfaces for Layer 3 EtherChannels	152
Configuring Channel Groups	153
Configuring the LACP System Priority and System ID	156
Configuring EtherChannel Load Balancing	156
Configuring the EtherChannel Min-Links Feature	157
Configuring VTP	159
Understanding How VTP Works	159
Understanding the VTP Domain	160
Understanding VTP Modes	160
Understanding VTP Advertisements	161
Understanding VTP Version 2	161
Understanding VTP Pruning	161
VTP Default Configuration	163
VTP Configuration Guidelines and Restrictions	163
Configuring VTP	164
Configuring VTP Global Parameters	164
Configuring a VTP Password	164
Enabling VTP Pruning	165
Enabling VTP Version 2	165
Configuring the VTP Mode	166
Displaying VTP Statistics	168
Configuring VLANs	169
Understanding How VLANs Work	169
VLAN Overview	169
VLAN Ranges	170
Configurable VLAN Parameters	171
Understanding Token Ring VLANs	171
Token Ring TrBRF VLANs	171
Token Ring TrCRF VLANs	172
VLAN Default Configuration	174
VLAN Configuration Guidelines and Restrictions	176
Configuring VLANs	177
VLAN Configuration Options	177
VLAN Configuration in Global Configuration Mode	177
VLAN Configuration in VLAN Database Mode	178
Creating or Modifying an Ethernet VLAN	178
Assigning a Layer 2 LAN Interface to a VLAN	179
Configuring the Internal VLAN Allocation Policy	180
Configuring VLAN Translation	180
VLAN Translation Guidelines and Restrictions	181
Configuring VLAN Translation on a Trunk Port	182
Enabling VLAN Translation on Other Ports in a Port Group	183
Mapping 802.1Q VLANs to ISL VLANs	183
Saving VLAN Information	184
Configuring Private VLANs	185
Understanding How Private VLANs Work	185
Private VLAN Domains	186
Private VLAN Ports	187
Primary, Isolated, and Community VLANs	187
Private VLAN Port Isolation	188
IP Addressing Scheme with Private VLANs	188
Private VLANs Across Multiple Switches	189
Private VLAN Interaction with Other Features	189
Private VLANs and Unicast, Broadcast, and Multicast Traffic	190
Private VLANs and SVIs	190
Private VLAN Configuration Guidelines and Restrictions	190
Secondary and Primary VLAN Configuration	191
Private VLAN Port Configuration	193
Limitations with Other Features	193
Configuring Private VLANs	195
Configuring a VLAN as a Private VLAN	195
Associating Secondary VLANs with a Primary VLAN	196
Mapping Secondary VLANs to the Layer 3 VLAN Interface of a Primary VLAN	197
Configuring a Layer 2 Interface as a Private VLAN Host Port	198
Configuring a Layer 2 Interface as a Private VLAN Promiscuous Port	199
Monitoring Private VLANs	201
Configuring Cisco IP Phone Support	203
Understanding Cisco IP Phone Support	203
Cisco IP Phone Connections	203
Cisco IP Phone Voice Traffic	204
Cisco IP Phone Data Traffic	205
Cisco IP Phone Power Configurations	205
Locally Powered Cisco IP Phones	205
Inline-Powered Cisco IP Phones	205
Inline Power Management	206
Example: Cisco Prestandard IP Phone	207
Example: IEEE 802.3af IP Phone	207
Default Cisco IP Phone Support Configuration	207
Cisco IP Phone Support Configuration Guidelines and Restrictions	208
Configuring Cisco IP Phone Support	208
Configuring Voice Traffic Support	209
Configuring Data Traffic Support	210
Configuring Inline Power Support	211
Configuring IEEE 802.1Q Tunneling	213
Understanding How 802.1Q Tunneling Works	213
802.1Q Tunneling Configuration Guidelines and Restrictions	215
Configuring 802.1Q Tunneling	218
Configuring 802.1Q Tunnel Ports	218
Configuring the Switch to Tag Native VLAN Traffic	218
Configuring Layer 2 Protocol Tunneling	221
Understanding How Layer 2 Protocol Tunneling Works	221
Configuring Support for Layer 2 Protocol Tunneling	222
Configuring STP and MST	225
Understanding How STP Works	225
STP Overview	226
Understanding the Bridge ID	226
Bridge Priority Value	226
Extended System ID	227
STP MAC Address Allocation	227
Understanding Bridge Protocol Data Units	227
Election of the Root Bridge	228
STP Protocol Timers	228
Creating the Spanning Tree Topology	228
STP Port States	229
STP Port State Overview	229
Blocking State	231
Listening State	231
Learning State	232
Forwarding State	233
Disabled State	234
STP and IEEE 802.1Q Trunks	235
Understanding How IEEE 802.1w RSTP Works	236
Port Roles and the Active Topology	236
Rapid Convergence	237
Synchronization of Port Roles	238
Bridge Protocol Data Unit Format and Processing	239
BPDU Format and Processing Overview	239
Processing Superior BPDU Information	240
Processing Inferior BPDU Information	240
Topology Changes	241
Rapid-PVST	241
Understanding MST	241
MST Overview	242
MST Regions	242
IST, CIST, and CST	243
IST, CIST, and CST Overview	243
Spanning Tree Operation Within an MST Region	244
Spanning Tree Operations Between MST Regions	244
IEEE 802.1s Terminology	245
Hop Count	246
Boundary Ports	246
Standard-Compliant MST Implementation	247
Changes in Port-Role Naming	247
Spanning Tree Interoperation Between Legacy and Standard-Compliant Switches	248
Detecting Unidirectional Link Failure	248
Interoperability with IEEE 802.1D-1998 STP	249
Configuring STP	249
Default STP Configuration	250
Enabling STP	250
Enabling the Extended System ID	252
Configuring the Root Bridge	252
Configuring a Secondary Root Bridge	253
Configuring STP Port Priority	254
Configuring STP Port Cost	256
Configuring the Bridge Priority of a VLAN	257
Configuring the Hello Time	258
Configuring the Forward-Delay Time for a VLAN	259
Configuring the Maximum Aging Time for a VLAN	259
Enabling Rapid-PVST	260
Specifying the Link Type	260
Restarting Protocol Migration	260
Configuring MST	261
Default MST Configuration	261
MST Configuration Guidelines and Restrictions	262
Specifying the MST Region Configuration and Enabling MST	262
Configuring the Root Bridge	264
Configuring a Secondary Root Bridge	265
Configuring Port Priority	266
Configuring Path Cost	267
Configuring the Switch Priority	268
Configuring the Hello Time	269
Configuring the Forwarding-Delay Time	270
Configuring the Transmit Hold Count	270
Configuring the Maximum-Aging Time	271
Configuring the Maximum-Hop Count	271
Specifying the Link Type to Ensure Rapid Transitions	271
Designating the Neighbor Type	272
Restarting the Protocol Migration Process	273
Displaying the MST Configuration and Status	273
Configuring Optional STP Features	275
Understanding How PortFast Works	276
Understanding How BPDU Guard Works	276
Understanding How PortFast BPDU Filtering Works	276
Understanding How UplinkFast Works	277
Understanding How BackboneFast Works	278
Understanding How EtherChannel Guard Works	280
Understanding How Root Guard Works	280
Understanding How Loop Guard Works	280
Enabling PortFast	282
Enabling PortFast BPDU Filtering	284
Enabling BPDU Guard	285
Enabling UplinkFast	286
Enabling BackboneFast	287
Enabling EtherChannel Guard	288
Enabling Root Guard	288
Enabling Loop Guard	289
Configuring Layer 3 Interfaces	291
Layer 3 Interface Configuration Guidelines and Restrictions	291
Configuring Subinterfaces on Layer 3 Interfaces	292
Configuring IPv4 Routing and Addresses	293
Configuring IPX Routing and Network Numbers	296
Configuring AppleTalk Routing, Cable Ranges, and Zones	297
Configuring Other Protocols on Layer 3 Interfaces	298
Configuring UDE and UDLR	299
Understanding UDE and UDLR	299
UDE and UDLR Overview	299
Supported Hardware	300
Understanding UDE	300
UDE Overview	300
Understanding Hardware-Based UDE	300
Understanding Software-Based UDE	301
Understanding UDLR	301
Configuring UDE and UDLR	301
Configuring UDE	301
UDE Configuration Guidelines	302
Configuring Hardware-Based UDE	302
Configuring Software-Based UDE	303
Configuring UDLR	304
UDLR Back-Channel Tunnel Configuration Guidelines	304
Configuring a Receive-Only Tunnel Interface for a UDE Send-Only Port	305
Configuring a Send-Only Tunnel Interface for a UDE Receive-Only Port	305
Router A Configuration	306
Router B Configuration	306
Configuring Multiprotocol Label Switching	307
MPLS Label Switching	307
Understanding MPLS	308
Understanding MPLS Label Switching	308
IP to MPLS	309
MPLS to MPLS	309
MPLS to IP	309
MPLS VPN Forwarding	310
Recirculation	310
Supported Hardware Features	310
Supported Cisco IOS Features	311
MPLS Guidelines and Restrictions	313
MPLS Supported Commands	313
Configuring MPLS	313
MPLS Per-Label Load Balancing	313
Basic MPLS Load Balancing	314
MPLS Layer 2 VPN Load Balancing	314
MPLS Layer 3 VPN Load Balancing	314
MPLS Configuration Examples	314
VPN Switching	315
VPN Switching Operation	316
MPLS VPN Guidelines and Restrictions	317
MPLS VPN Supported Commands	317
Configuring MPLS VPN	317
MPLS VPN Sample Configuration	318
Any Transport over MPLS	319
AToM Load Balancing	320
Understanding EoMPLS	320
EoMPLS Guidelines and Restrictions	320
Configuring EoMPLS	322
Prerequisites	322
Configuring VLAN-Based EoMPLS	322
Verifying the Configuration	323
Configuring Port-Based EoMPLS	325
Verifying the Configuration	327
Configuring IPv4 Multicast VPN Support	329
Understanding How MVPN Works	329
MVPN Overview	329
Multicast Routing and Forwarding and Multicast Domains	330
Multicast Distribution Trees	330
Multicast Tunnel Interfaces	333
PE Router Routing Table Support for MVPN	334
Multicast Distributed Switching Support	334
Hardware-Assisted IPv4 Multicast	334
MVPN Configuration Guidelines and Restrictions	335
Configuring MVPN	336
Forcing Ingress Multicast Replication Mode (Optional)	336
Configuring a Multicast VPN Routing and Forwarding Instance	337
Configuring a VRF Entry	338
Configuring the Route Distinguisher	338
Configuring the Route-Target Extended Community	339
Configuring the Default MDT	339
Configuring Data MDTs (Optional)	340
Enabling Data MDT Logging	340
Sample Configuration	341
Displaying VRF Information	341
Configuring Multicast VRF Routing	343
Enabling IPv4 Multicast Routing Globally	344
Enabling IPv4 Multicast VRF Routing	344
Configuring a PIM VRF Register Message Source Address	344
Specifying the PIM VRF Rendezvous Point (RP) Address	345
Configuring a Multicast Source Discovery Protocol (MSDP) Peer	345
Enabling IPv4 Multicast Header Storage	346
Configuring the Maximum Number of Multicast Routes	346
Configuring IPv4 Multicast Route Filtering	347
Sample Configuration	347
Displaying IPv4 Multicast VRF Routing Information	348
Configuring Interfaces for Multicast Routing to Support MVPN	348
Multicast Routing Configuration Overview	348
Configuring PIM on an Interface	348
Configuring an Interface for IPv4 VRF Forwarding	349
Sample Configuration	350
Sample Configurations for MVPN	350
MVPN Configuration with Default MDTs Only	350
MVPN Configuration with Default and Data MDTs	352
Configuring IP Unicast Layer 3 Switching	357
Understanding How Layer 3 Switching Works	357
Understanding Hardware Layer 3 Switching	358

Match case Limit results 1 per page

35-2

Catalyst Supervisor Engine 32 PISA Cisco IOS Software Configuration Guide, Release 12.2ZY

OL-11439-03

Chapter 35

Configuring Dynamic ARP Inspection

Understanding DAI

Understanding ARP Spoofing Attacks

ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a gratuitous reply from

a host even if an ARP request was not received. After the attack, all traffic from the device under attack

flows through the attacker’s computer and then to the router, switch, or host.

An ARP spoofing attack can target hosts, switches, and routers connected to your Layer 2 network by

poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for

other hosts on the subnet.

Figure 35-1

shows an example of ARP cache poisoning.

Figure 35-1

ARP Cache Poisoning

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same

subnet. Their IP and MAC addresses are shown in parentheses; for example, Host A uses IP address IA

and MAC address MA. When Host A needs to communicate to Host B at the IP layer, it broadcasts an

ARP request for the MAC address associated with IP address IB. When the switch and Host B receive

the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA

and a MAC address MA; for example, IP address IA is bound to MAC address MA. When Host B

responds, the switch and Host A populate their ARP caches with a binding for a host with the IP address

IB and the MAC address MB.

Host C can poison the ARP caches of the switch for Host A, and Host B by broadcasting forged ARP

responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts

with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended

for IA or IB. This means that Host C intercepts that traffic. Because Host C knows the true MAC

addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the

correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to

Host B, which is the topology of the classic

man-in-the middle

attack.

Understanding DAI and ARP Spoofing Attacks

DAI is a security feature that validates ARP packets in a network. DAI intercepts, logs, and discards ARP

packets with invalid IP-to-MAC address bindings. This capability protects the network from some

man-in-the-middle attacks.

DAI ensures that only valid ARP requests and responses are relayed. The switch performs these

activities:

•

Intercepts all ARP requests and responses on untrusted ports

•

Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before

updating the local ARP cache or before forwarding the packet to the appropriate destination

•

Drops invalid ARP packets

Host A

(IA, MA)

Host B

(IB, MB)

Host C (man-in-the-middle)

(IC, MC)

111750