If you have already enabled DHCP snooping on a switch, you may also want to add static IP-to-MAC
address bindings to the DHCP snooping database so that ARP packets from devices that have been
assigned static IP addresses are also verified.
Static IP-to-MAC address bindings:
• Support additional checks to verify source MAC address, destination MAC address, and IP
address.
• Drops ARP packets that contain invalid IP addresses or MAC addresses in their body that do
not match the addresses in the Ethernet header.
When dynamic ARP protection is enabled, only ARP request and reply packets with valid IP-to-MAC
address bindings in their packet header are relayed and used to update the ARP cache.
Dynamic ARP protection is implemented as follows on a switch:
• You can configure dynamic ARP protection only from the CLI; you cannot configure this feature
from the WebAgent or menu interfaces.
• Line rate: Dynamic ARP protection copies ARP packets to the switch, evaluates the packets,
and then re-forwards them through the switch software. During this process, if ARP packets
are received at too fast a line rate, some ARP packets may be dropped and need to be
retransmitted.
• The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection
and report ARP packet-forwarding status and counters.
Enabling dynamic ARP protection
To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect
vlan command at the global configuration level.
Syntax:
[no] arp-protect vlan [vlan-range]
TaskParameter
Specifies a VLAN ID or a range of VLAN IDs from 1 to 4094.vlan-range
Example:
HP Switch(config)# arp-protect vlan 1-101
Configuring trusted ports
Like DHCP snooping, dynamic ARP protection lets you configure VLAN interfaces in two categories,
trusted and untrusted ports. ARP packets received on trusted ports are forwarded without validation.
By default, all ports on a switch are untrusted. If a VLAN interface is untrusted:
• The switch intercepts all ARP requests and responses on the port.
• Each intercepted packet is checked to see if its IP-to-MAC binding is valid. If a binding is
invalid, the switch drops the packet.
Configure trusted ports carefully. For example, in the topology “Trusted ports for dynamic ARP
protection” (page 17), Switch B may not see the leased IP address that Host 1 receives from the
DHCP server. If the port on Switch B connected to Switch A is untrusted and if Switch B has dynamic
ARP protection enabled, it will see ARP packets from Host 1 as invalid, causing a loss of connectivity.
Further, if Switch A does not support dynamic ARP protection and you configure the port on Switch
B connected to Switch A as trusted, Switch B opens itself to possible ARP poisoning from hosts
attached to Switch A.
16 Updates for the HP Switch Software Access Security Guide
To Next Page
Loading...
Need help?
General
