Dynamic ARP protection is designed for defense against ARP spoofing attacks, which take advantage of gratuitous ARP replies to falsify IP-to-MAC bindings in network devices. Here's how it works:
- On ports not configured as "trusted" (by default all ports are "untrusted"), all ARP requests and responses are intercepted.
- The IP-to-MAC bindings in intercepted ARP messages are verified against the DHCP snooping binding database (including user-configured static bindings).
- If a binding is valid, the switch will use it to update its local ARP cache and forward the packet. Otherwise the packet containing that binding will be dropped.
Because of the binding validation against the DHCP snooping database, DHCP snooping has to be enabled for ARP protection to work. If DHCP snooping is not enabled, valid ARP traffic will be dropped.
Here's how to configure dynamic ARP protection:
HP-5406zl(config)# dhcp-snooping
HP-5406zl(config)# arp-protect
HP-5406zl(config)# arp-protect trust B1 (configuring port B1 as trusted)
HP-5406zl(config)# arp-protect vlan 1-2 (configuring ARP protect for VLANs 1 and 2)
HP-5406zl(config)# arp-protect validate dest-mac
The last command is optional. The option "dest-mac" means that the switch will drop any ARP response packet in which the destination MAC address in the Ethernet header does not match the target MAC address in the body of the packet. Other options are "src-mac" (drop any ARP request or response packet in which the source MAC in the Ethernet header does not match the sender MAC address in the body of the packet) and "ip" (drop any ARP request or reply with an invalid IP address - 0.0.0.0, 255.255.255.255, all IP multicast addresses and all class E IP addresses).
To verify and monitor/troubleshoot dynamic ARP protection, the following commands are available:
show arp-protect
show arp-protect statistics 1-2 (statistics for VLANs 1 and 2)
debug arp-protect
For example, the output of "show arp-protect" will look like below:
Lastly, to add static IP-to-MAC bindings to the DHCP snooping binding database, use the command ip source-binding in the global context.
Question: can you enable arp-protect in distribution switches, where all the downlinks are other switches.
ReplyDelete