Invalid ARP Replies
Dell#
Bypassing the ARP Inspection
You can configure a port to skip ARP inspection by defining the interface as trusted, which is useful in multi-switch
environments.
ARPs received on trusted ports bypass validation against the binding table. All ports are untrusted by default.
To bypass the ARP inspection, use the following command.
•
Specify an interface as trusted so that ARPs are not validated against the binding table.
INTERFACE mode
arp inspection-trust
Dynamic ARP inspection is supported on Layer 2 and Layer 3.
Source Address Validation
Using the DHCP binding table, Dell Networking OS can perform three types of source address validation (SAV).
Table 26. Three Types of Source Address Validation
Source Address Validation
IP Source Address Validation
DHCP MAC Source Address Validation
IP+MAC Source Address Validation
Enabling IP Source Address Validation
IP source address validation (SAV) prevents IP spoofing by forwarding only IP packets that have been validated against the
DHCP binding table.
A spoofed IP packet is one in which the IP source address is strategically chosen to disguise the attacker. For example, using
ARP spoofing, an attacker can assume a legitimate client's identity and receive traffic addressed to it. Then the attacker can
spoof the client's IP address to interact with other clients.
The DHCP binding table associates addresses the DHCP servers assign with the port or the port channel interface on which the
requesting client is attached and the VLAN the client belongs to. When you enable IP source address validation on a port, the
system verifies that the source IP address is one that is associated with the incoming port and optionally that the client belongs
to the permissible VLAN. If an attacker is impostering as a legitimate client, the source address appears on the wrong ingress
port and the system drops the packet. If the IP address is fake, the address is not on the list of permissible addresses for the port
and the packet is dropped. Similarly, if the IP address does not belong to the permissible VLAN, the packet is dropped.
To enable IP source address validation, use the following command.
NOTE:
If you enable IP source guard using the ip dhcp source-address-validation command and if there are more
entries in the current DHCP snooping binding table than the available CAM space, SAV may not be applied to all entries. To
ensure that SAV is applied correctly to all entries, enable the ip dhcp source-address-validation command before
adding entries to the binding table.
•
Enable IP source address validation.
INTERFACE mode
: 0
Description
Prevents IP spoofing by forwarding only IP packets that have
been validated against the DHCP binding table.
Verifies a DHCP packet's source hardware address matches
the client hardware address field (CHADDR) in the payload.
Verifies that the IP source address and MAC source address
are a legitimate pair.
Dynamic Host Configuration Protocol (DHCP)
320