Configuring ARP attack protection
ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to
detect and prevent ARP attacks.
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
•
entries.
Sends a large number of IP packets for which ARP cannot find corresponding MAC addresses
•
(called unresolvable IP packets) to have the receiving device busy with resolving IP addresses until
its CPU is overloaded.
Sends a large number of ARP packets to overload the CPU of the receiving device.
•
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
ARP attack protection configuration task list
Tasks at a glance
Flood prevention:
•
Configuring unresolvable IP attack protection
Configuring ARP source suppression
Enabling ARP blackhole routing
•
Configuring ARP packet rate limit
•
Configuring source MAC-based ARP attack detection
User and gateway spoofing prevention:
•
Configuring ARP packet source MAC consistency check
•
Configuring ARP active acknowledgement
•
Configuring authorized ARP
•
Configuring ARP detection
•
Configuring ARP automatic scanning and fixed ARP
•
Configuring ARP gateway protection
•
Configuring ARP filtering
IMPORTANT:
The following features are not supported in the current release, and they are reserved for future use:
ARP packet rate limit.
•
ARP detection.
•
ARP gateway protection.
•
•
ARP filtering.
(configured on gateways)
(configured on access devices)
(configured on gateways)
(configured on gateways)
(configured on access devices)
(configured on access devices)
(configured on access devices)
272
(configured on gateways)
(configured on gateways)
(configured on gateways)