Configuring Advanced Threat Protection

Dynamic ARP Protection

Enabling Dynamic ARP Protection

To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp-protect vlan command at the global configuration level.

Syntax: [no] arp-protect vlan [vlan-range]

vlan-rangeSpecifies a VLAN ID or a range of VLAN IDs from one to 4094; for example, 1–200.

An example of the arp-protect vlan command is shown here:

ProCurve(config)# arp-protect vlan 1-101

Configuring Trusted Ports

In a similar way to DHCP snooping, dynamic ARP protection allows you to configure VLAN interfaces in two categories: trusted and untrusted ports. ARP packets received on trusted ports are forwarded without validation.

By default, all ports on a switch are untrusted. If a VLAN interface is untrusted:

The switch intercepts all ARP requests and responses on the port.

Each intercepted packet is checked to see if its IP-to-MAC binding is valid. If a binding is invalid, the switch drops the packet.

You must configure trusted ports carefully. For example, in the topology in Figure 8-9, Switch B may not see the leased IP address that Host 1 receives from the DHCP server. If the port on Switch B that is connected to Switch A is untrusted and if Switch B has dynamic ARP protection enabled, it will see ARP packets from Host 1 as invalid, resulting in a loss of connectivity.

On the other hand, if Switch A does not support dynamic ARP protection and you configure the port on Switch B connected to Switch A as trusted, Switch B opens itself to possible ARP poisoning from hosts attached to Switch A.

8-18