202
Configuring ARP attack protection
Overview
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. The ARP detection feature enables access devices to block ARP packets from unauthorized
clients to prevent user spoofing and gateway spoofing attacks.
ARP detection provides user validity check and ARP packet validity check.
User validity check
This feature does not check ARP packets received from ARP trusted ports, but it checks ARP
packets from ARP untrusted ports.
Upon receiving an ARP packet from an ARP untrusted interface, this feature compares the sender IP
and MAC addresses against the DHCP snooping entries and 802.1X security entries. If a match is
found from those entries, the ARP packet is considered valid and is forwarded. If no match is found,
the ARP packet is considered invalid and is discarded.
ARP packet validity check
This feature does not check ARP packets received from ARP trusted ports. It checks ARP packets
received from ARP untrusted ports based on the following objects:
•
src-mac
—Checks whether the sender MAC address in the message body is identical to the
source MAC address in the Ethernet header. If they are identical, the packet is forwarded.
Otherwise, the packet is discarded.
•
dst-mac
—Checks the target MAC address of ARP replies. If the target MAC address is all-zero,
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
•
ip
—Checks the sender and target IP addresses of ARP replies, and the sender IP address of
ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding
packets are discarded.
Configuring ARP detection
To check user validity, at least one among DHCP snooping entries and 802.1X security entries is
available. Otherwise, all ARP packets received from ARP untrusted ports are discarded.
1.
From the navigation tree, select
Network
>
ARP Anti-Attack
.
The default
ARP Detection
page appears.
Summary of Contents for FlexNetwork NJ5000
Page 12: ...x Index 440 ...
Page 39: ...27 Figure 16 Configuration complete ...
Page 67: ...55 Figure 47 Displaying the speed settings of ports ...
Page 78: ...66 Figure 59 Loopback test result ...
Page 158: ...146 Figure 156 Creating a static MAC address entry ...
Page 183: ...171 Figure 171 Configuring MSTP globally on Switch D ...
Page 243: ...231 Figure 237 IPv6 active route table ...