Rejecting Gratuitous Arp (Garp); Dhcp Snooping - Allied Telesis Layer 3 Switches Network Manual

Rejecting Gratuitous ARP (GARP)

Hosts can use GARP to announce their presence on a
subnet. It is a helpful mechanism, particularly when there is
a chance of duplicate addresses. However, attackers can use
GARP to penetrate the network by adding themselves to
the switch's ARP table.
You can configure Allied Telesis switches and routers to ignore GARP packets. Ignoring
GARPs does not completely prevent IP spoofing, but it does shut down one easy avenue for
an attacker.
To ignore GARPs on VLAN 1:
Example
Note:

DHCP snooping

The AlliedWare DHCP snooping feature is a series of layer 2
techniques. It works with information from a DHCP server
to:
track the physical location of hosts
ensure that hosts only use the IP addresses assigned to
them
ensure that only authorised DHCP servers are accessible.
In short, DHCP snooping ensures IP integrity on an L2-
switched domain.
With DHCP snooping, only a whitelist of IP addresses may
access the network. You configure this whitelist at the switch
port level, and the DHCP server manages the access control. Only specific IP addresses with
specific MAC addresses on specific ports may access the IP network.
DHCP snooping also stops attackers from adding their own DHCP servers to the network.
An attacker could set up a server to wreak havoc in the network or even control it.
There are a number of options for DHCP snooping. You can:
let the switch snoop DHCP packets and decide who is authorised to access the IP
network. See
statically bind IP address and MAC combinations to switch ports. See
for rigid control" on page
use option 82 to track users. See
use ARP security to reject ARP messages unless they come from an IP address in the
DHCP snooping database. See
Create A Secure Network With Allied Telesis Managed Layer 3 Switches
set ip interface=vlan1 gratuitousarp=off
We do not recommend disabling GARP reception if a server with teamed network
cards is attached to the switch. In a teamed-NIC redundancy set-up, another card
takes over if a card fails. In many implementations, the NIC that takes over sends a
GARP to inform the switch of the port and MAC address change.
"Setting up DHCP snooping" on page
16.
"Using DHCP snooping to track clients" on page
"Using ARP security" on page
Identifying the user
Products
All switches listed on page 2
Software Versions
2.5.1 and later
Products
AT-8600 Series
AT-8700XL Series
Rapier i Series
Rapier Series
AT-8800 Series
AT-8948
x900-48 Series
AT-9900 Series
Software Versions
2.7.6 and later
16.
"Using static binding
17.
17.
15