BigIron RX Series Configuration Guide 100153-1002253-01Chapter35Inspecting and Tracking DHCP PacketsFor enhanced network security, you can configure the Brocade device to inspect and keep track ofDynamic Host Configuration Protocol (DHCP) assignments. To do so, use the following features.Dynamic ARP inspectionNOTEThis feature is only supported on Layer 3 code.Dynamic ARP Inspection (DAI) enables the Brocade device to intercept and examine all ARP requestand response packets in a subnet and discard those packets with invalid IP to MAC addressbindings. DAI can prevent common man-in-the-middle (MiM) attacks such as ARP cache poisoning,and disallow mis-configuration of client IP addresses.ARP attacksARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to aMAC address. Before a host can talk to another host, it must map the IP address to a MAC addressfirst. If the host does not have the mapping in its ARP table, it sends an ARP request to resolve themapping. All computers on the subnet will receive and process the ARP requests, and the hostwhose IP address matches the IP address in the request will send an ARP reply.An ARP poisoning attack can target hosts, switches, and routers connected to the Layer 2 networkby poisoning the ARP caches of systems connected to the subnet and by intercepting trafficintended for other hosts on the subnet. For instance, a malicious host can reply to an ARP requestwith its own MAC address, thereby causing other hosts on the same subnet to store thisinformation in their ARP tables or replace the existing ARP entry. Furthermore, a host can sendgratuitous replies without having received any ARP requests. A malicious host can also send outARP packets claiming to have an IP address that actually belongs to another host (e.g. the defaultrouter). After the attack, all traffic from the device under attack flows through the attacker’scomputer and then to the router, switch, or host.TABLE 165 Chapter contentsDescription See pageDynamic ARP Inspection – Intercepts and examines all ARP request and responsepackets in a subnet, and blocks all packets that have invalid IP to MAC address bindingspage 1001DHCP Snooping – Filters replay DHCP packets from untrusted ports (those connected tohost ports), and allows DHCP packets from trusted ports (those connected to DHCPservers)page 1006IP Source Guard – Permits traffic with valid source IP addresses only, which is learnedfrom Dynamic ARP Inspection or DHCP snoopingpage 1010