ARP Inspection is a security feature that validates the MAC Address bindings for Address Resolution Protocol packets. It provides protection against ARP traffic with invalid MAC-to-IP address bindings, which forms the basis for certain "man-in-the-middle" attacks. This is accomplished by intercepting all ARP requests and responses and verifying each of these packets before the local ARP cache is updated or the packet is forwarded to the appropriate destination. Invalid ARP packets are dropped.
ARP Inspection determines the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a trusted database - the DHCP snooping binding database. This database is built by DHCP snooping if it is enabled on globally on the switch and on the required VLANs. ARP Inspection can also validate ARP packets against user-configured ARP access control lists (ACLs) for hosts with statically configured addresses.
Use the Security > ARP Inspection (Configure General) page to enable ARP inspection globally for the switch, to validate address information in each packet, and configure logging.
Enables ARP Inspection globally. (Default: Disabled)
Enables extended ARP Inspection Validation if any of the following options are enabled. (Default: Disabled)
Validates the destination MAC address in the Ethernet header against the target MAC address in the body of ARP responses.
Checks the ARP body for invalid and unexpected IP addresses. Sender IP addresses are checked in all ARP requests and responses, while target IP addresses are checked only in ARP responses.
Allows sender IP address to be 0.0.0.0.
Validates the source MAC address in the Ethernet header against the sender MAC address in the ARP body. This check is performed on both ARP requests and responses.
The maximum number of entries saved in a log message. (Range: 0-256; Default: 5)
The interval at which log messages are sent. (Range: 0-86400 seconds; Default: 1 second)
Use the Security > ARP Inspection (Configure VLAN) page to enable ARP inspection for any VLAN and to specify the ARP ACL to use.
Identifier for configured VLANs.
Enables Dynamic ARP Inspection for the selected VLAN. (Default: Disabled)
Allows selection of any configured ARP ACLs. (Default: None)
When an ARP ACL is selected, and static mode also selected, the switch only performs ARP Inspection and bypasses validation against the DHCP Snooping Bindings database. When an ARP ACL is selected, but static mode is not selected, the switch first performs ARP Inspection and then validation against the DHCP Snooping Bindings database. (Default: Disabled)
Use the Security > ARP Inspection (Configure Interface) page to specify the ports that require ARP inspection, and to adjust the packet inspection rate.
Port identifier.
Configures the port as trusted or untrusted. (Default: Untrusted)
By default, all untrusted ports are subject to ARP packet rate limiting, and all trusted ports are exempt from ARP packet rate limiting.
Packets arriving on trusted interfaces bypass all ARP Inspection and ARP Inspection Validation checks and will always be forwarded, while those arriving on untrusted interfaces are subject to all configured ARP inspection tests.
Sets the maximum number of ARP packets that can be processed by CPU per second on untrusted ports. (Range: 0-2048; Default: 15)
This rate limit applies to both trusted and untrusted ports.
Setting the rate limit to "0" means that there is no restriction on the number of ARP packets that can be processed by the CPU.
The switch will drop all ARP packets received on a port which exceeds the configured ARP-packets-per-second rate limit.
Use the Security > ARP Inspection (Show Information - Show Statistics) page to display statistics about the number of ARP packets processed, or dropped for various reasons.
Count of ARP packets received but not exceeding the ARP Inspection rate limit.
Count of ARP packets exceeding (and dropped by) ARP rate limiting.
Count of ARP packets that failed the IP address test.
Count of packets that failed the destination MAC address test.
Count of all ARP packets processed by the ARP Inspection engine.
Count of packets that failed the source MAC address test.
Count of ARP packets that failed validation against ARP ACL rules.
Count of packets that failed validation against the DHCP Snooping Binding database.
Use the Security > ARP Inspection (Show Information - Show Log) page to show information about entries stored in the log, including the associated VLAN, port, and address components.
The VLAN where this packet was seen.
The port where this packet was seen.
The source IP address in the packet.
The destination IP address in the packet.
The source MAC address in the packet.
The destination MAC address in the packet.