Arp security, Mac address verification, Dhcp snooping violations – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

DHCP Snooping Introduction and Configuration

Software Reference for x310 Series Switches

55.8

AlliedWare Plus

TM

Operating System - Version 5.4.4C

C613-50046-01 REV A

ARP Security

ARP security prevents ARP spoofing. ARP spoofing occurs when devices send fake, or
'spoofed', ARP messages to an Ethernet LAN. This makes it possible for an unauthorized
host to claim to be an authorized host. The unauthorized host can then intercept traffic
intended for the authorized host, and can access the wider network.

Spoofed ARP messages contain the IP address of an authorized host, with a MAC address
which does not match the real MAC address of the host. When ARP security is enabled for
DHCP snooping, the switch checks ARP packets sourced from untrusted ports against the
entries in the DHCP snooping binding database. If it finds a matching entry, it forwards the
ARP packet as normal. If it does not find a matching entry, it drops the ARP packet. This
ensures that only trusted clients (with a recognized IP address and MAC address) can
generate ARP packets into the network. ARP security is not applied to packets received on
trusted ports.

ARP security is disabled by default, and can be enabled on VLANs to ensure that on
untrusted ports, only trusted clients (with a recognized IP address and MAC address) can
generate ARP packets into the network. ARP security is applied to both dynamic and static
DHCP snooping entries. For static DHCP entries without a MAC address defined, ARP
security compares only the IP address details.

MAC Address Verification

When MAC address verification is enabled, the switch forwards DHCP packets received on
untrusted ports only if the source MAC address and client hardware address match. MAC
address verification is enabled by default.

DHCP Snooping Violations

Packets violating DHCP snooping or ARP security checks (if these are enabled) are
automatically dropped. The switch can also be configured to send SNMP notifications
(atDhcpsnTrap and atArpsecTrap), to generate log messages, or to shut down the link on
which the packet was received.

If the switch is configured to send notifications for DHCP snooping or ARP security
violations, the rate is limited to one notification per second. If there are any further
violations within a second, no notifications are sent for them. After one second, the switch
only sends further notifications if the source MAC address and/or the violation reason are
different from previous notifications. (If log messages are also generated for ARP security
and DHCP snooping violations, you can see a record of all violations in the log, even if
notifications were not sent for all of them.)