Address Resolution Protocol (ARP) Inspection Configuration on SFE / SGE Stackable Managed Switches

Objective

Address Resolution Protocol (ARP) is used to map IP addresses to MAC addresses. ARP inspection is used to prevent Man in the Middle Attacks (MITM). ARP inspection compares the source MAC address of a packet to the address of the sender and the destination MAC address of the packet to the MAC address of the receiver. It also checks if the IP address of the packet is valid. The packet is forwarded if the addresses match and IP address is valid. ARP inspection is only performed on interfaces that are defined as untrusted.

This article explains how to configure ARP inspection on the SFE / SGE Stackable Managed Switches.

Applicable Devices

• SFE / SGE Stackable Managed Switches

Software Version

• v3.0.0.17

ARP Inspection Configuration

Properties

Step 1. Log in to the web configuration utility and choose Security Suite > ARP Inspection > Properties. The ARP Inspection Properties page opens:

Step 2. Check Enable ARP Inspection to enable ARP inspection.

Step 3. Check ARP Inspection Validate to enable ARP inspection validate on the switch. This makes ARP inspection check source MAC, destination MAC, and IP addresses in ARP requests and ARP responses.

Step 4. Click the radio button that corresponds to the desired log buffer interval. The Log Buffer Interval defines the minimal time between successive Syslog messages.

• Retry Frequency — Enter a value for the amount of time between log updates (in seconds).

• Never — The log is never updated.

Step 5. Click Apply.

Caution: This only saves your configuration to the running configuration file. This means any changes made will be lost if the device is rebooted. If you wish to save these changes even after a system reboot, you need to copy the running configuration file to the startup configuration file. See Copy Configuration File on SFE/SGE Series Managed Switches for more information on how to do this.

Trusted Interfaces

Step 1. Log in to the web configuration utility and choose Security Suite > ARP Inspection > Trusted Interfaces. The ARP Inspection Trusted Interfaces page opens:

Step 2. Click the radio button that corresponds to the desired interfaces that you want to edit.

• Ports — Displays the trust configuration of the ports.

• LAGs — Displays the trust configuration of the LAGs.

Step 3. Click Edit to edit the interface. The Edit Interface Settings window appears:

Step 4. (Optional) Click the radio button that corresponds to the desired interface in the Interface field.

• Port — From the Port drop-down list, choose the port to configure. This will only affect the single port chosen.

• LAG — From the LAG drop-down list, choose the LAG to configure. This will affect the group of ports defined in the LAG configuration.

Step 5. From the Trust Status drop-down list, choose enable to trust the interface.

Note: This disables ARP inspection on the specified interface.

Step 6. Click Apply.

Caution: This only saves your configuration to the running configuration file. This means any changes made will be lost if the device is rebooted. If you wish to save these changes even after a system reboot, you need to copy the running configuration file to the startup configuration file. See Copy Configuration File on SFE/SGE Series Managed Switches for more information on how to do this.