ARP

ARP (Address Resolution Protocol) is used to map the network address assigned to a device to its physical address. For example, on an Ethernet network, ARP maps layer 3 IPv4 network addresses to layer 2 MAC addresses. (ARP does not work with IPv6 addresses. Instead, the Neighbor discovery protocol is used.)

ARP operates at layer 2. ARP requests are broadcast to all devices on the local network segment and are not forwarded by routers. ARP is enabled by default and cannot be disabled.

Proxy ARP

Proxy ARP allows a routing switch to answer ARP requests from devices on one network on behalf of devices on another network. The ARP proxy is aware of the location of the traffic destination, and offers its own MAC address as the final destination.

For example, if Proxy ARP is enabled on a routing switch connected to two subnets (10.10.10.0/24 and 20.20.20.0/24), the routing switch can respond to an ARP request from 10.10.10.69 for the MAC address of the device with IP address 20.20.20.69.

Typically, the host that sent the ARP request then sends its packets to the switch that has the ARP proxy. This switch then forwards the packets to the intended host through a mechanism such as a tunnel.

Proxy ARP is supported on L3 physical and VLAN interfaces. It is disabled by default. To enable proxy ARP, routing must be enabled on the interface.

Local proxy ARP

Local proxy ARP is a technique by which a device on a given network answers the ARP queries for a host address that is on the same network. It is primarily used to enable layer 3 communication between hosts within a common subnet that are separated by layer 2 boundaries (Example: PVLAN). Local proxy ARP is supported on L3 physical and VLAN interfaces.

Local proxy ARP is disabled by default. Routing must be enabled on the interface to enable local proxy ARP.

Dynamic ARP Inspection

ARP is used for resolving IP against MAC addresses on a broadcast network segment like the Ethernet and was originally defined by Internet Standard RFC 826. ARP does not support any inherent security mechanism and as such depends on simple datagram exchanges for the resolution, with many of these being broadcast.

Because it is an unreliable and non-secure protocol, ARP is vulnerable to attacks. Some attacks may be targeted toward the networks whereas other attacks may be targeted toward the switch itself. The attacks primarily intend to create denial of service (DoS) for the other entities present in the network.

Most of the attacks are carried out in one of the following three forms:
  • Overwhelming the switch control plane with too many ARP packets.

  • Overwhelming the switch control plane with too many unresolved data packets.

  • Masquerading as a trusted gateway/server by wrongly advertising ARPs.

Several defense mechanisms can be put in place on a switch to protect against attacks:
  • Limit the amount of ARP activity allowed from a host or on a port.

  • Ensure that all ARP packets are consistent with one or more binding databases, which can be created through various means.

  • Enforce integrity checks on the ARP packets to check against different MAC or IP addresses in the Ethernet or IP header and ARP header.

This release implements Dynamic ARP Inspection to enforce DHCP snooping binding on all ARP packets and is limited to the 8400 platform. The feature will be disabled from the code, CLI, and schema by the use of appropriate config flags for other platforms.

Only the following is supported:
  • Enabling and disabling of Dynamic ARP Inspection on a VLAN level (it does not have to be SVI).

  • Defining the member ports of a VLAN as either trusted or untrusted.

  • Only ARP traffic on untrusted ports subjected to checks.

  • Routed ports (RoPs) always treated as trusted.

  • Listening to the DHCP Bindings table and check every ARP packet to match against the binding.

ARP ACLs are not supported in this release and the DHCP snooping table will be the only source of binding.