Trusted ports

Similar to DHCP snooping, dynamic Address Resolution Protocol (ARP) protection allows you to configure VLAN interfaces in two categories: trusted and untrusted ports. ARP packets received on trusted ports are forwarded without validation.

By default, all ports on a switch are untrusted. If a VLAN interface is untrusted:

  • The switch intercepts all ARP requests and responses on the port.

  • Each intercepted packet is checked to see if its IP-to-MAC binding is valid. If a binding is invalid, the switch drops the packet.

Configure trusted ports carefully. For example, in the topology in the following figure, Switch B may not see the leased IP address that Host 1 receives from the DHCP server. If the port on Switch B, which is connected to Switch A, is untrusted and if Switch B has dynamic ARP protection enabled, it sees ARP packets from Host 1 as invalid, resulting in a loss of connectivity.

In contrast, if Switch A does not support dynamic ARP protection and you configure the port on Switch B connected to Switch A as trusted, Switch B opens itself to possible ARP poisoning from hosts attached to Switch A.

Figure 1: Trusted Ports for Dynamic ARP Protection
Consider the following configuration guidelines when you use dynamic ARP protection in your network:

  • Configure ports connected to other switches in the network as trusted ports. In this way, all network switches can exchange ARP packets and update their ARP caches with valid information.

  • Switches that do not support dynamic ARP protection must be separated by a router in their own Layer 2 domain. Because ARP packets do not cross Layer 3 domains, the unprotected switches cannot unknowingly accept ARP packets from an attacker and forward them to protected switches through trusted ports.