Address Resolution Protocol (ARP) operates at Layer 2, the data-link layer, of the OSI model and provides the translation mapping the IP address to the MAC address of the destination host using a look-up table also known as the ARP cache.
ARP Inspection is established to prevent ARP cache poisoning, which if successful can allow a malicious third party to intercept and control network traffic. The objective of this document is to setup ARP Inspection Properties on Sx500 Series Stackable Switches.
For the ARP Inspection to function properly the following configurations need to be completed in the same order as given below:
1. ARP Inspection Properties, which is covered in this article.
2. Configure Interface Settings, please refer to the article, Address Resolution Protocol (ARP) Inspection Interface Settings on Sx500 Series Stackable Switches for this configuration.
3. Configure Access Control and Access Control rules , please refer to the article, Configuration of ARP Access Control and Access Control Rules on Sx500 Series Stackable Switches for this configuration.
4. Configure VLAN Settings, please refer to the article, Address Resolution Protocol (ARP) Inspection VLAN Settings Configuration on Sx500 Series Stackable Switches for this configuration
Step 1. Log in to the web configuration utility and choose Security > ARP Inspection > Properties. The Properties page opens:
Step 2. In the ARP Inspection Status field, check Enable to enable the ARP inspection feature. This feature is disabled by default.
Note: The ARP inspection will be performed only on untrusted interfaces. Packets from trusted interfaces are forwarded. You can configure trusted interfaces on the Interface Settings page.
Step 3. In the ARP Packet Validation field, check Enable to enable the packet validation in ARP. This feature is disabled in default. If this field is checked, the following values will be compared with the existing databases to prevent outsider attacks:
Also, the ARP inspection uses a DHCP snooping binding database if DHCP snooping is enabled to counter check the IP address of the packet in addition to its access control rules. Refer the article entitled DHCP Snooping Binding Database Configuration on Sx500 Series Stackable Switches for further information on configuration of DHCP snooping binding database. You may be able to go to the DHCP Snooping Binding database configuration page by clicking the DHCP Snooping Binding database link on top of the Properties page.
Step 4. At the Log Buffer Interval field, click one of the following radio buttons:
Step 5. Click Apply to make the changes. The settings are defined and the running configuration file is updated.