Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
362
Views
0
Helpful
1
Replies

ARP inspection w/DHCP snooping is killing my voice stream

callryan
Level 1
Level 1

‎01-18-2007 10:27 AM - edited ‎03-14-2019 07:36 PM

Has anyone successfully deployed security features (ARP inspection plus DHCP snooping) with their IPT deployment? If so, would you mind talking a bit about any hang ups you may have experienced? Thanks in advance.

Labels:
0 Helpful
1 Reply 1

didyap
Level 6
Level 6

‎01-24-2007 07:25 AM

ARP does not have any authentication. It is quite simple for a malicious user to poison ARP tables of other hosts on the same VLAN. In a typical attack, a malicious user can send unsolicited ARP replies (gratuitous ARP packets) to other hosts on the subnet with the attacker's MAC address and the default gateway's IP address. Such ARP poisoning leads to various "man-in-the-middle" attacks, posing a security threat in the network. Dynamic ARP Inspection intercepts all ARP requests and replies on the untrusted ports. Each intercepted packet is verified for valid IP-to-MAC bindings. The Dynamic Host Control Protocol (DHCP) snooping feature is typically used to maintain IP-to-MAC bindings. Dynamic ARP Inspection helps prevent the man-in-the-middle attacks by not relaying invalid ARP replies out to other ports in the same VLAN. It is a solution with no change to the end user or host configurations. Denied ARP packets are logged by the switch for auditing. Incoming ARP packets on the trusted ports or isolated private VLAN (PVLAN) trunks are not inspected.

0 Helpful
Customers Also Viewed These Support Documents