Operation Manual – ARPH3C S3100-52P Ethernet Switch Chapter 1 ARP Configuration1-5ARP spoofing possible.In Figure 1-3, Host A communicates with Host C through a switch. To intercept thetraffic between Host A and Host C, the hacker (Host B) forwards invalid ARP replymessages to Host A and Host C respectively, causing the two hosts to update the MACaddress corresponding to the peer IP address in their ARP tables with the MACaddress of Host B. Then, the traffic between Host A and C will pass through Host Bwhich acts like a “man-in-the-middle” that may intercept and modify the communicationinformation. Such an attack is called man-in-the-middle attack.Figure 1-3 Network diagram for ARP man-in-the-middle attackII. ARP attack detectionTo guard against the man-in-the-middle attacks launched by hackers or attackers, anS3100-52P Ethernet switch supports the ARP attack detection function. All ARP (bothrequest and response) packets passing through the switch are redirected to the CPU,which checks the validity of all the ARP packets by using the DHCP snooping table orthe manually configured IP binding table. For description of DHCP snooping table andthe manually configured IP binding table, refer to the DHCP snooping section in the partdiscussing DHCP in this manual.After you enable the ARP attack detection function, the switch will check the followingitems of an ARP packet: the source MAC address, source IP address, port number ofthe port receiving the ARP packet, and the ID of the VLAN the port resides. If theseitems match the entries of the DHCP snooping table or the manual configured IPbinding table, the switch will forward the ARP packet; if not, the switch discards the ARPpacket.z With trusted ports configured, ARP packets coming from the trusted ports will notbe checked, while those from other ports will be checked through the DHCPsnooping table or the manually configured IP binding table.
