Does Dynamic arp inspection only provide protection against faked gratuitous arp reply by checking gratuitous reply against dhcp binding Or it also provides protection against all fake arp traffic by checking all arp traffic against dhcp binding?
H1 ----f1/1SW------Dhcp server
H1 mac address is mac1, and dhcp assigned ip address 184.108.40.206
H2 mac address is mac 2 and dhcp assigned ip address 220.127.116.11
Sw has following dhcp bindings
mac 1 18.104.22.168 f1/1 vlan 1
mac2 22.214.171.124 f1/2 vlan1
Let say a hacker connects its desktop to sw at f1/3. H1 needs to communicate with h2 but h1's arp table has no entry for 126.96.36.199 ( aged out).
As a result, H1 has to send arp broadcast request for 188.8.131.52 . The question is :if hacker crafts a fake arp reply with its own mac address i.e
mac3 184.108.40.206 ( where mac3 is the mac address of hacker's desktop), will dynamic arp inspection will check that arp reply against the dhcp bindings?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...