Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


...

Table of Contents

Introduction

The ARP Inspection feature is used to defend against man-in-the-middle attack scenarios, preventing ARP table entries to be maliciously modified by a forged ARP message sent by an attacker.

Trust Port

ARP inspection divides interfaces into ARP trusted and untrusted ports. On trusted ports, the system does not perform ARP inspection on incoming ARP messages, allowing the ARP messages to pass. However, ARP inspection is required for ARP messages received on the untrusted port interface.

...

ARP Inspection contains two functions: ARP message validity checking and user legitimacy checking.

ARP Packets Validity Checking

For ARP trusted ports, packets validity checking is not performed; for ARP untrusted ports, the system checks the validity of MAC address and IP address in the ARP packets:

  • Check that if the source MAC address in the ARP message and the source MAC address in the Ethernet header are consistent. If so, pass, otherwise discard.
  • Check if the source MAC address in the ARP message is all 0 or all 1. All 0 and all 1 source MAC addresses are invalid and the message will be discarded.
  • Check if the source IP in the ARP message is all 0, all 1, or the multicast IP address, these IP addresses are invalid and the message will be discarded.

User Legitimacy Checking

For ARP trusted ports, user legitimacy checking is not performed; for ARP untrusted ports, a user legitimacy checking is performed to prevent attacks from spoofing users.

...

NOTE:

  •  If both ARP access lists and dynamic ARP inspection are enabled, the system checks ARP access lists first, if there is no match then the system checks DHCP binding table.
  •  When ARP inspection is enabled on MLAG peers, we recommend that you don’t enable ARP inspection in the peer-link VLAN which is dedicated to transmitting MLAG control plane messages.

However, if ARP inspection is enabled in peer link VLAN, an ARP access list must be configured by the following commands for ARP inspection to make MLAG work normally,

set protocols arp inspection access-list <acl-name> ip <ipv4-addr> mac-address <mac-addr>

set protocols arp inspection vlan <peer-vlan-id> access-list <acl-name>

where IP, MAC address and VLAN should be configured as the corresponding values of peer link port on the MLAG peer device.

Configuring Dynamic ARP Inspection

Dynamic ARP Inspection checks ARP messages based on DHCP binding table. Therefore, you need to enable the DHCP snooping function for this feature to work properly.

Procedure

Step1         Enable ARP inspection in a VLAN.

...

Step4         Commit the configurations.

   commit

Example for Configuring Dynamic ARP Inspection

Networking Requirements

  • On Pica8 Switch, the interfaces ge-1/1/1 and ge-1/1/2 are in VLAN 2.
  • Enable DHCP snooping on VLAN 2.
  • Configure the interface connected to the DHCP server (ge-1/1/2) as the DHCP snooping trust interface.
  • To prevent man-in-the-middle attacks and prevent the ARP table entries of legitimate users on the device being maliciously modified, enable ARP inspection in VLAN 2.

 Figure 1 Dynamic ARP Inspection Network

Image RemovedImage Added

Procedure

Step1         Configure VLAN.

...

Code Block
admin@Xorplus# run show arp inspection dhcp-binding
Vlan  IP Address        Mac Address
----  ---------------  -----------------
 2    100.1.1.1         14:18:77:18:2c:b9

Configuring ARP Inspection Access List

ARP inspection supports to statically configure ARP access lists through CLI commands in non-DHCP environments, so it does not require to enable DHCP snooping.

NOTE:

When configuring the ARP access list for ARP Inspection, the same IP-MAC cannot exist in multiple access lists.

Procedure

Step1         Enable ARP inspection in a VLAN.

...

Step5         Commit the configurations.

   commit

Example for Configuring Static ARP Inspection

Configuring ARP access lists is an effective defense against man-in-the-middle attacks and preventing ARP table entries of legitimate users on the device being maliciously modified.

...