beautypg.com

LevelOne FGL-2870 User Manual

Page 191

background image

General Security Measures

3-137

3

- When ARP Inspection is disabled, all ARP request and reply packets will bypass

the ARP Inspection engine and their switching behavior will match that of all
other packets.

- Disabling and then re-enabling global ARP Inspection will not affect the ARP

Inspection configuration of any VLANs.

- When ARP Inspection is disabled globally, it is still possible to configure ARP

Inspection for individual VLANs. These configuration changes will only become
active after ARP Inspection is enabled globally again.

• The ARP Inspection engine in the current firmware version does not support ARP

Inspection on trunk ports.

ARP Inspection VLAN Filters (ACLs)
• By default, no ARP Inspection ACLs are configured and the feature is disabled.
• ARP Inspection ACLs are configured within the ARP ACL configuration page (see

page 3-133).

• ARP Inspection ACLs can be applied to any configured VLAN.
• ARP Inspection uses the DHCP snooping bindings database for the list of valid

IP-to-MAC address bindings. ARP ACLs take precedence over entries in the
DHCP snooping bindings database. The switch first compares ARP packets to any
specified ARP ACLs.

• If static is specified, ARP packets are only validated against the selected ACL –

packets are filtered according to any matching rules, packets not matching any
rules are dropped, and the DHCP snooping bindings database check is bypassed.

• If static is not specified, ARP packets are first validated against the selected ACL;

if no ACL rules match the packets, then the DHCP snooping bindings database
determines their validity.

ARP Inspection Validation
• By default, ARP Inspection Validation is disabled.
• Specifying at least one of the following validations enables ARP Inspection

Validation globally. Any combination of the following checks can be active
concurrently.
- Destination MAC – Checks the destination MAC address in the Ethernet header

against the target MAC address in the ARP body. This check is performed for
ARP responses. When enabled, packets with different MAC addresses are
classified as invalid and are dropped.

- IP – Checks the ARP body for invalid and unexpected IP addresses. These

addresses include 0.0.0.0, 255.255.255.255, and all IP multicast addresses.
Sender IP addresses are checked in all ARP requests and responses, while
target IP addresses are checked only in ARP responses.

- Source MAC – Checks the source MAC address in the Ethernet header against

the sender MAC address in the ARP body. This check is performed on both ARP
requests and responses. When enabled, packets with different MAC addresses
are classified as invalid and are dropped.