Netgear M5300-28G-POE+ (GSM7228PSv1h2) - 12-Port Managed Gigabit Switch Ratgeber Für Administratoren
Security Management
381
Managed Switches
Dynamic ARP Inspection
Dynamic ARP inspection (DAI) is a security feature that rejects invalid and malicious ARP
packets. The feature prevents a class of man-in-the-middle attacks, where an unfriendly
station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting
neighbors. The miscreant sends ARP requests or responses mapping another station’s IP
address to its own MAC address.
packets. The feature prevents a class of man-in-the-middle attacks, where an unfriendly
station intercepts traffic for other stations by poisoning the ARP caches of its unsuspecting
neighbors. The miscreant sends ARP requests or responses mapping another station’s IP
address to its own MAC address.
DAI relies on DHCP snooping. DHCP snooping listens to DHCP message exchanges and
builds a bindings database of valid tuples (MAC address, IP address, VLAN interface).
builds a bindings database of valid tuples (MAC address, IP address, VLAN interface).
When DAI is enabled, the switch drops ARP packet if the sender MAC address and sender
IP address do not match an entry in the DHCP snooping bindings database. However, it can
be overcome through static mappings. Static mappings are useful when hosts configure
static IP addresses, DHCP snooping cannot be run, or other switches in the network do not
run dynamic ARP inspection. A static mapping associates an IP address to a MAC address
on a VLAN.
IP address do not match an entry in the DHCP snooping bindings database. However, it can
be overcome through static mappings. Static mappings are useful when hosts configure
static IP addresses, DHCP snooping cannot be run, or other switches in the network do not
run dynamic ARP inspection. A static mapping associates an IP address to a MAC address
on a VLAN.
Static client
IP address: 192.168.10.1
HW address: 00:11:85:EE:54:E9
IP address: 192.168.10.1
HW address: 00:11:85:EE:54:E9
Interface
1/0/2
1/0/2
GSM73xxS
Interface
1/0/1
1/0/1
Interface
1/0/3
1/0/3
DHCP server
IP address: 192.168.10.1
IP address: 192.168.10.1
DHCP client
IP address: 192.168.10.86 (obtained)
HW address: 00:16:76:A7:88:CC
IP address: 192.168.10.86 (obtained)
HW address: 00:16:76:A7:88:CC
Figure 38. Dynamic ARP inspection