Manualshelf

Concept Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON
281282283284285286287288289290
To view the number of entries in the table, use the show ip dhcp snooping binding command. This output displays the snooping
binding table created using the ACK packets from the trusted port.
DellEMC#show ip dhcp snooping binding
Codes : S - Static D - Dynamic
IP Address MAC Address Expires(Sec) Type VLAN Interface
================================================================
10.1.1.251 00:00:4d:57:f2:50 172800 D Vl 10 Gi 1/2
10.1.1.252 00:00:4d:57:e6:f6 172800 D Vl 10 Gi 1/1
10.1.1.253 00:00:4d:57:f8:e8 172740 D Vl 10 Gi 1/3
10.1.1.254 00:00:4d:69:e8:f2 172740 D Vl 10 Gi 1/5
Total number of Entries in the table : 4
Dynamic ARP Inspection
Dynamic address resolution protocol (ARP) inspection prevents ARP spoong by forwarding only ARP frames that have been validated
against the DHCP binding table.
ARP is a stateless protocol that provides no authentication mechanism. Network devices accept ARP requests and replies from any device.
ARP replies are accepted even when no request was sent. If a client receives an ARP message for which a relevant entry already exists in
its ARP cache, it overwrites the existing entry with the new information.
The lack of authentication in ARP makes it vulnerable to spoong. ARP spoong is a technique attackers use to inject false IP-to-MAC
mappings into the ARP cache of a network device. It is used to launch man-in-the-middle (MITM), and denial-of-service (DoS) attacks,
among others.
A spoofed ARP message is one in which the MAC address in the sender hardware address eld and the IP address in the sender protocol
eld are strategically chosen by the attacker. For example, in an MITM attack, the attacker sends a client an ARP message containing the
attacker’s MAC address and the gateway’s IP address. The client then thinks that the attacker is the gateway, and sends all internet-bound
packets to it. Likewise, the attacker sends the gateway an ARP message containing the attacker’s MAC address and the client’s IP address.
The gateway then thinks that the attacker is the client and forwards all packets addressed to the client to it. As a result, the attacker is able
to sni all packets to and from the client.
Other attacks using ARP spoong include:
Broadcast
An attacker can broadcast an ARP reply that species FF:FF:FF:FF:FF:FF as the gateway’s MAC address, resulting
in all clients broadcasting all internet-bound packets.
MAC ooding An attacker can send fraudulent ARP messages to the gateway until the ARP cache is exhausted, after which,
trac from the gateway is broadcast.
Denial of service An attacker can send a fraudulent ARP messages to a client to associate a false MAC address with the gateway
address, which would blackhole all internet-bound packets from the client.
NOTE: Dynamic ARP inspection (DAI) uses entries in the L2SysFlow CAM region, a sub-region of SystemFlow. One CAM entry is
required for every DAI-enabled VLAN. You can enable DAI on up to 16 VLANs on a system.
Conguring Dynamic ARP Inspection
To enable dynamic ARP inspection, use the following commands.
1 Enable DHCP snooping.
2 Validate ARP frames against the DHCP snooping binding table.
INTERFACE VLAN mode
Dynamic Host
Conguration Protocol (DHCP) 283