12.1.5 Dynamic ARP checking
- <Structure of this section>
(1) Overview
Dynamic ARP inspection monitors the ARP packets that pass through the Switch to restrict access of ARP packets from untrusted terminals.
The following figure provides an overview of how dynamic ARP inspection works.
|
|
![[Figure Data]](./GRAPHICS/ZU216080.GIF)
(2) Port type
Like DHCP snooping, dynamic ARP inspection categorizes ports as follows when it monitors ARP packets:
-
A port is trusted when a trusted terminal is connected to it, such as DHCP servers and department servers.
Dynamic ARP inspection does not monitor ARP packets that are received on trusted ports.
-
A port is untrusted when an untrusted terminal is connected to it, such as DHCP clients.
Do not connect DHCP servers to untrusted ports.
The following figure shows the two port categories used when dynamic ARP inspection is enabled and an example of devices connected to such ports.
|
|
![[Figure Data]](./GRAPHICS/ZU216020.GIF)
When you use the ip dhcp snooping configuration command to enable DHCP snooping, all the ports become untrusted by default. Set the port to which a DHCP server is connected as a trusted port. You can set ports as trusted by using the ip arp inspection trust configuration command.
Note that dynamic ARP inspection monitors the VLANs that are specified by using the ip arp inspection vlan configuration command.
For normal operations, we recommend that you specify the same ports in both the ip dhcp snooping trust and ip arp inspection trust configuration commands.
(3) Basic Inspection of ARP Packets
When the switch receives an ARP packet on an untrusted port, the switch checks whether the source of the packet is in the binding database.If the packet comes from an unregistered terminal, the switch discards the packet.
The following table describes the basic inspection items.
|
ARP type |
Receiving interface |
ARP packet |
||||||
|---|---|---|---|---|---|---|---|---|
|
Port |
VLAN ID |
Ethernet header |
ARP header |
|||||
|
Destination MAC address |
Source MAC address |
Source MAC address |
Source IP address |
Destination MAC address |
Destination IP address |
|||
|
Request |
OK |
OK |
- |
- |
OK |
OK |
- |
- |
|
Reply |
OK |
OK |
- |
- |
OK |
OK |
- |
- |
(Legend) OK: Inspection object-: Not inspected
(4) Optional Checking for ARP Packets
Optionally, the switch can check the integrity of data in the ARP packets received on untrusted ports.
To set optional inspection, use the ip arp inspection validate configuration command.
(a) Source MAC checking (src-mac checking)
When the src-mac option is specified, the switch checks whether the source MAC address in the Layer 2 header matches the source MAC address in the ARP header.
This inspection is performed on both ARP requests and ARP replies.
The following table describes the items that are checked in the source MAC address inspection.
|
ARP type |
Receiving interface |
ARP packet |
||||||
|---|---|---|---|---|---|---|---|---|
|
Port |
VLAN ID |
Ethernet header |
ARP header |
|||||
|
Destination MAC address |
Source MAC address |
Source MAC address |
Source IP address |
Destination MAC address |
Destination IP address |
|||
|
Request |
- |
- |
- |
OK |
OK |
- |
- |
- |
|
Reply |
- |
- |
- |
OK |
OK |
- |
- |
- |
(Legend) OK: Inspection object-: Not inspected
(b) Destination MAC checking (dst-mac checking)
When the dst-mac option is specified, the switch checks whether the destination MAC address in the Layer 2 header matches the target MAC address in the ARP header.
This inspection is performed on ARP replies only.
The following table describes the items that are checked in the destination MAC address inspection.
|
ARP type |
Receiving interface |
ARP packet |
||||||
|---|---|---|---|---|---|---|---|---|
|
Port |
VLAN ID |
Ethernet header |
ARP header |
|||||
|
Destination MAC address |
Source MAC address |
Source MAC address |
Source IP address |
Destination MAC address |
Destination IP address |
|||
|
Request |
- |
- |
- |
- |
- |
- |
- |
- |
|
Reply |
- |
- |
OK |
- |
- |
- |
OK |
- |
(Legend) OK: Inspection object-: Not inspected
(c) IP checking (ip checking)
When the ip option is specified, the switch checks whether the target IP address in the ARP header is within either of the following ranges:
-
1.0.0.0 ~ 126.255.255.255
-
128.0.0.0 ~ 223.255.255.255
This inspection is performed on ARP replies only.
The following table describes the items that are checked in the IP address inspection.
|
ARP type |
Receiving interface |
ARP packet |
||||||
|---|---|---|---|---|---|---|---|---|
|
Port |
VLAN ID |
Ethernet header |
ARP header |
|||||
|
Destination MAC address |
Source MAC address |
Source MAC address |
Source IP address |
Destination MAC address |
Destination IP address |
|||
|
Request |
- |
- |
- |
- |
- |
- |
- |
- |
|
Reply |
- |
- |
- |
- |
- |
- |
- |
OK |
(Legend) OK: Inspection object-: Not inspected