Brocade Communications Systems Brocade ICX 6650 6650 User Manual
Brocade ICX 6650 Security Configuration Guide
279
53-1002601-01
Chapter
12
DHCP
lists the Dynamic Host Configuration Protocol (DHCP) packet inspection and tracking
features supported in Brocade ICX 6650. These features are supported in the Layer 2, base Layer
3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
3, edge Layer 3, and full Layer 3 software images, except where explicitly noted.
Dynamic ARP inspection
For enhanced network security, you can configure the Brocade device to inspect and keep track of
Dynamic Host Configuration Protocol (DHCP) assignments.
Dynamic Host Configuration Protocol (DHCP) assignments.
Dynamic ARP Inspection (DAI) enables the Brocade device to intercept and examine all ARP request
and response packets in a subnet and discard those packets with invalid IP to MAC address
bindings. DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning,
and disallow mis-configuration of client IP addresses.
and response packets in a subnet and discard those packets with invalid IP to MAC address
bindings. DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning,
and disallow mis-configuration of client IP addresses.
ARP poisoning
ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a
MAC address. Before a host can talk to another host, it must map the IP address to a MAC address
first. If the host does not have the mapping in its ARP table, it creates an ARP request to resolve the
mapping. All computers on the subnet will receive and process the ARP requests, and the host
whose IP address matches the IP address in the request will send an ARP reply.
MAC address. Before a host can talk to another host, it must map the IP address to a MAC address
first. If the host does not have the mapping in its ARP table, it creates an ARP request to resolve the
mapping. All computers on the subnet will receive and process the ARP requests, and the host
whose IP address matches the IP address in the request will send an ARP reply.
An ARP poisoning attack can target hosts, switches, and routers connected to the Layer 2 network
by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic
intended for other hosts on the subnet. For instance, a malicious host can reply to an ARP request
with its own MAC address, thereby causing other hosts on the same subnet to store this
information in their ARP tables or replace the existing ARP entry. Furthermore, a host can send
gratuitous replies without having received any ARP requests. A malicious host can also send out
ARP packets claiming to have an IP address that actually belongs to another host (e.g. the default
router). After the attack, all traffic from the device under attack flows through the attacker
computer and then to the router, switch, or host.
by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic
intended for other hosts on the subnet. For instance, a malicious host can reply to an ARP request
with its own MAC address, thereby causing other hosts on the same subnet to store this
information in their ARP tables or replace the existing ARP entry. Furthermore, a host can send
gratuitous replies without having received any ARP requests. A malicious host can also send out
ARP packets claiming to have an IP address that actually belongs to another host (e.g. the default
router). After the attack, all traffic from the device under attack flows through the attacker
computer and then to the router, switch, or host.
TABLE 69
Supported DHCP packet inspection and tracking features
Feature
Brocade ICX 6650
Dynamic ARP inspection
Yes
DHCP snooping
Yes
DHCP relay agent information (DHCP
Option 82)
Option 82)
Yes
IP source guard
Yes