37-3
z
For details about DHCP Snooping and IP static binding, refer to
DHCP Operation
.
z
For details about 802.1x authentication, refer to
802.1x and System Guard Operation
.
ARP restricted forwarding
With the ARP restricted forwarding function enabled, ARP request packets coming from untrusted port
are forwarded through trusted ports only; ARP response packets coming from untrusted port are
forwarded according to the MAC addresses in the packets, or through trusted ports if the MAC address
table contains no such destination MAC addresses.
Introduction to ARP Packet Rate Limit
To prevent the man-in-the-middle attack, a switch enabled with the ARP attack detection function
delivers ARP packets to the CPU to check the validity of the packets. However, this causes a new
problem: If an attacker sends a large number of ARP packets to a port of a switch, the CPU will get
overloaded, causing other functions to fail, and even the whole device to break down. To guard against
such attacks, S4500 series Ethernet switches support the ARP packets rate limit function, which will
shut down the attacked port, thus preventing serious impact on the CPU.
With this function enabled on a port, the switch will count the ARP packets received on the port within
each second. If the number of ARP packets received on the port per second exceeds the preconfigured
value, the switch considers that the port is attacked by ARP packets. In this case, the switch will shut
down the port. As the port does not receive any packet, the switch is protected from the ARP packet
attack.
At the same time, the switch supports automatic recovery of port state. If a port is shut down by the
switch due to high packet rate, the port will revert to the Up state after a configured period of time.
Introduction to ARP Packet Filtering Based on Gateway's Address
According to the ARP design, after receiving an ARP packet with the target IP address being that of the
receiving interface, a device adds the IP-to-MAC mapping of the sender into its ARP mapping table
even if the MAC address is not requested by itself. This can reduce the ARP traffic in the network, but it
also makes ARP spoofing possible.
The most common ARP attack on campus networks is the gateway spoofing attack. An attacker sends
an ARP packet with the gateway’s IP address and a fake MAC address, and then a receiving host
updates the IP-to-MAC binding of the gateway. As a result, the traffic sent from the host to the gateway
will be redirected to the fake MAC address, and the client will be unable to access the external network.