Dynamic ARP Protection

Address Resolution Protocol (ARP) allows hosts to communicate over the network by creating an IP to MAC address mapping used in the transmission of packets. Attackers can use ARP to generate bogus mappings, allowing them to spoof other clients’ MAC addresses and intercept traffic destined to them. Additionally, an attacker could generate an unlimited number of artificial ARP entries, filling up the caches of other clients on the network and causing a denial of service (DoS).

Dynamic ARP Protection works by intercepting ARP packets and verifying their authenticity before forwarding them. Packets with invalid IP to MAC address bindings advertised in the source protocol address and source physical address fields are discarded, ensuring that only valid ARP requests and replies are forwarded or used to update the local ARP table.

ARP Protection authenticates IP to MAC bindings stored from a lease maintained by DHCP snooping, or by using static bindings configured for non-DHCP clients. It is configured per VLAN and categorizes ports in two ways, trusted and untrusted (default). ARP packets received on trusted ports are forwarded normally without validating their authenticity, provided no authorized servers are configured.

NOTE:

Enabling ARP protection without first configuring DHCP snooping and/or static bindings will cause all ARP packets to be dropped.

ARP Protection also can be configured to drop:

  • ARP request or response packets, where the source MAC address in the Ethernet header does not match the sender MAC address in the body of the ARP packet.

  • Unicast ARP response packets, where the destination MAC address in the Ethernet header does not match the target MAC address in the body of the ARP packet.

  • ARP packets, where the sender or target IP address is invalid. Invalid IP addresses include 0.0.0.0, 255.255.255.255, all IP multicast addresses, and all Class E IP addresses.

To enable Dynamic ARP Protection globally on the switch, use the following command: 

switch(config)# arp-protect

To designate VLANs 10 and 20 to be protected, ports 1-4 as trusted, and enable source MAC address, destination MAC address, and IP address validation for ARP protected VLANs: 

switch(config)# arp-protect vlan 10 20 
switch(config)# arp-protect trust 1-4
switch(config)# arp-protect validate src-mac dest-mac ip

For more details on port security, DHCP snooping, and Dynamic ARP Protection, refer to the chapter titled “Port Security” in the ArubaOS-Switch Access Security Guide.