Dynamic ARP Inspection

ARP is used for resolving IP against MAC addresses on a broadcast network segment like the Ethernet and was originally defined by Internet Standard RFC 826. ARP does not support any inherent security mechanism and as such depends on simple datagram exchanges for the resolution, with many of these being broadcast.

Because it is an unreliable and non-secure protocol, ARP is vulnerable to attacks. Some attacks may be targeted toward the networks whereas other attacks may be targeted toward the switch itself. The attacks primarily intend to create denial of service (DoS) for the other entities present in the network.

Most of the attacks are carried out in one of the following three forms:
  • Overwhelming the switch control plane with too many ARP packets.

  • Overwhelming the switch control plane with too many unresolved data packets.

  • Masquerading as a trusted gateway/server by wrongly advertising ARPs.

Several defense mechanisms can be put in place on a switch to protect against attacks:
  • Limit the amount of ARP activity allowed from a host or on a port.

  • Ensure that all ARP packets are consistent with one or more binding databases, which can be created through various means.

  • Enforce integrity checks on the ARP packets to check against different MAC or IP addresses in the Ethernet or IP header and ARP header.

This release implements Dynamic ARP Inspection to enforce DHCP snooping binding on all ARP packets and is supported on the 6300, 6400, and 8400 platforms. The feature will be disabled from the code, CLI, and schema by the use of appropriate config flags for other platforms.

Only the following is supported:
  • Enabling and disabling of Dynamic ARP Inspection on a VLAN level (it does not have to be SVI).

  • Defining the member ports of a VLAN as either trusted or untrusted.

  • Only ARP traffic on untrusted ports subjected to checks.

  • Routed ports (RoPs) always treated as trusted.

  • Listening to the DHCP Bindings table and check every ARP packet to match against the binding.

ARP ACLs are not supported in this release and the DHCP snooping table will be the only source of binding.