Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Bronze

dynamic arp inspection and arp traffics

Hi everybody

Does Dynamic arp inspection only provide protection against faked gratuitous arp reply by checking gratuitous reply against dhcp binding Or  it also provides protection against all fake arp traffic by checking all arp traffic against dhcp binding?

Example.

H1 ----f1/1SW------Dhcp server

H2 ----f1/2

H1 mac address is mac1, and dhcp assigned ip address 199.199.199.1

H2 mac address is mac 2 and dhcp assigned ip address 199.199.199.2

Sw has following dhcp bindings

mac 1  199.199.199.1 f1/1 vlan 1

mac2 199.199.199.2   f1/2 vlan1

Let say a hacker connects its desktop to sw at f1/3.  H1 needs to communicate with h2 but h1's arp table  has no entry for 199.199.199.2 ( aged out).

As a result, H1 has to send  arp broadcast request for 199.199.199.2 . The question is :if hacker crafts a fake arp reply with its own mac address i.e

mac3  199.199.199.2  ( where mac3 is the mac address of hacker's desktop),  will dynamic arp inspection will check that arp reply against the dhcp bindings?

Thanks .

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: dynamic arp inspection and arp traffics

What you describe is exactly what DAI wiill protect you from.

Sent from Cisco Technical Support iPad App

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
1 REPLY
VIP Purple

Re: dynamic arp inspection and arp traffics

What you describe is exactly what DAI wiill protect you from.

Sent from Cisco Technical Support iPad App

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
517
Views
0
Helpful
1
Replies
This widget could not be displayed.