Table of Contents
Advertisement
Introduction
6.11 Address Resolution Protocol (ARP) Filtering
6.11.1 Introduction
The ARP is a network protocol that maps a network layer (L3) protocol address to a data link layer hardware
address, and is described in RFC 826.
ARP filtering is the ability to "authenticate" ARP messages to ensure that unauthorized ARP spoofing is not per-
mitted. ARP spoofing is the act of sending ARP messages with phony IP addresses encoded therein thus cor-
rupting a router's ARP tables. When ARP filtering is enabled the default action is to drop ALL ARP packets.
This feature is accomplished by checking the encoded IP address against IP pass filters that are configured for a
given interface. If the IP address in the ARP packet matches any IP pass filter on that interface, the ARP is
allowed, if not, the ARP is dropped.
ARP filtering conditions any ARP packets with a L3 source address that matches the source address of any IP
source filters present on that interface. The system allows ARP packets to pass if there is an IP pass classifier
(i.e., IPSOURCE match rule plus a FORWARD action) on the port allowing the IP source address that is in the
ARP packet's L3 sender address field. For example:
ARP filtering is used to prevent theft of service for ARP messages in regards to IP addresses, and does
Note:
not cover RARP packets.
Consider this classifier configuration with ARP filtering enabled; all ARP packets are dropped as if no classifier
were configured because no matching FORWARD action classifier was configured.
Interface Rank Name
--------- ---- --------------- ------------------------------ ----------------
ETH:7.0
51
ipf1
-------------------------------------------------------------------------------
Now, consider these classifier configurations with ARP filtering enabled; any ARP packet with address 10.10.9.x
is forwarded, all others are dropped.
Interface Rank Name
---------- ---- --------------- ------------------------------ ----------------
ETH:7.0
51
ipf1
59
ipf2
-------------------------------------------------------------------------------
Software Reference for SwitchBlade x3100 Series Switches (Access and Security)
Field Match(es)
IPSOURCE= 10.10.9.1/32
Field Match(es)
IPSOURCE= 10.10.9.1/32
IPSOURCE= 10.10.9.0/24
Introduction
Action(s)
DROP
COUNT
Action(s)
DROP
COUNT
FORWARD
COUNT
6-153
Advertisement
Chapters
Table of Contents
Troubleshooting
