EasyManua.ls Logo

Orion A10E - Figure 6-2 Principle of Dynamic ARP Inspection

Orion A10E
376 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Orion Networks
A10E/A28E/A28F Configuration Guide
6 Security
Orion Networks
160
The ARP inspection table, which is used for preventing ARP attacks, consists of DHCP
snooping entries and statically configured ARP inspection rules, including IP address, MAC
address, and VLAN binding information. In addition, the ARP inspection table associates this
information with specific interfaces. Dynamic ARP inspection binding table supports the
combination of following entries:
Interface+IP
Interface+IP+MAC
Interface+IP+VLAN
Interface+IP+MAC+VLAN
Dynamic ARP inspection interfaces are divided into the following two kinds according to
trust status:
Trusted interface: the interface will stop ARP inspection, which means taking no ARP
protection on the interface. All ARP packets are allowed to pass.
Untrusted interface: the interface takes ARP protection. Only ARP packets that match the
binding table rules are allowed to pass. Otherwise, they are discarded.
Figure 6-2 Principle of dynamic ARP inspection
Figure 6-2 shows the principle of dynamic ARP inspection. When the A10E/A28E receives an
ARP packet, it compares the source IP address, source MAC address, interface ID, and VLAN
information of the ARP packet with the DHCP Snooping entry information. If matched, it
indicates that it is a legal user and the ARP packets are permitted to pass. Otherwise, it is an
ARP attack and the ARP packet is discarded.
Dynamic ARP inspection also provides ARP packet rate limiting to prevent unauthorized
users from attacking the device by sending a large number of ARP packets to the A10E/A28E.
When the number of ARP packets received by an interface every second exceeds the
threshold, the system will regard that the interface receives an ARP attack, and then
discard all received ARP packets to avoid the attack.
The system provides auto-recovery and supports configuring the recovery time. The
interfaces, where the number of received ARP packets is greater than the threshold, will
recover to normal Rx/Tx status automatically after the recovery time expires.
Dynamic ARP inspection can also protect the specified VLAN. After configuring protection
VLAN, the ARP packets in specified VLAN on an untrusted interface will be protected. Only
the ARP packets, which meet binding table rules, are permitted to pass. Other packets are
discarded.

Table of Contents