Configuring ARP attack defense
Overview
Although ARP is easy to implement, it provides no security mechanism and thus is prone to network
attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized clients
to prevent user spoofing and gateway spoofing attacks.
ARP detection provides the following functions: user validity check and ARP packet validity check.
User validity check
This feature does not check ARP packets received from an ARP trusted port. It checks an ARP packet
received from an ARP untrusted port as follows.
It compares the sender IP and MAC addresses of the ARP packet against the DHCP snooping
1.
entries, 802.1X security entries, and OUI MAC addresses.
If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. If the
2.
sender MAC address of the received ARP packet is an OUI MAC address, the packet is
considered valid.
If no match is found, the ARP packet is considered invalid and is discarded.
3.
ARP packet validity check
This feature does not check ARP packets received from an ARP trusted port. It checks ARP packets
received from ARP untrusted ports based on the following objects:
src-mac—Checks whether the sender MAC address of an ARP packet is identical to the source
•
MAC address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the
packet is discarded.
dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero,
•
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
ip—Checks both the source and destination IP addresses in an ARP packet. The all-zero, all-one or
•
multicast IP addresses are considered invalid and the corresponding packets are discarded. With
this object specified, the source and destination IP addresses of ARP replies, and the source IP
address of ARP requests are checked.
Configuring ARP detection
NOTE:
To check user validity, at least the DHCP snooping entries or 802.1X security entries must be available.
Otherwise, all ARP packets received from an ARP untrusted port will be discarded, except for the ARP
packets with an OUI MAC address as the sender MAC address when voice VLAN is enabled.
226