Allied Telesis Layer 3 Switches manual Rejecting Gratuitous ARP Garp, Dhcp snooping

You can configure Allied Telesis switches and routers to ignore GARP packets. Ignoring GARPs does not completely prevent IP spoofing, but it does shut down one easy avenue for an attacker.

Example To ignore GARPs on VLAN 1:

set ip interface=vlan1 gratuitousarp=off

Note: We do not recommend disabling GARP reception if a server with teamed network cards is attached to the switch. In a teamed-NIC redundancy set-up, another card takes over if a card fails. In many implementations, the NIC that takes over sends a GARP to inform the switch of the port and MAC address change.

DHCP snooping

With DHCP snooping, only a whitelist of IP addresses may access the network. You configure this whitelist at the switch

port level, and the DHCP server manages the access control. Only specific IP addresses with specific MAC addresses on specific ports may access the IP network.

DHCP snooping also stops attackers from adding their own DHCP servers to the network. An attacker could set up a server to wreak havoc in the network or even control it.

There are a number of options for DHCP snooping. You can:

zlet the switch snoop DHCP packets and decide who is authorised to access the IP network. See “Setting up DHCP snooping” on page 16.

zstatically bind IP address and MAC combinations to switch ports. See “Using static binding for rigid control” on page 16.

zuse option 82 to track users. See “Using DHCP snooping to track clients” on page 17.

zuse ARP security to reject ARP messages unless they come from an IP address in the DHCP snooping database. See “Using ARP security” on page 17.