Description:

With the aim of preventing attacks on the local network via ARP poisoning, a managed switch can be set up to run the ARP Inspection feature. ARP Inspection scans all ARP packets and checks whether the addresses were learned through DHCP snooping . ARP packets are forwarded in this case, and all other ARP packets are discarded.

Since ARP Inspection relates to DHCP snooping, this function is only suitable for devices that obtain their IP address via DHCP. An exception is therefore required for ports that are connected to a router or switch, otherwise communication with these devices will be restricted. To this end, these ports must be set to "Trusted" in the ARP inspection. Ports connected to end devices that obtain their IP address via DHCP must be set to "Untrusted" (which also applies for ports connected to an access point).

This article describes how to set up ARP Inspection on a GS-23xx series switch. 

When configuring ARP Inspection, communication in the local network or to the Internet may no longer be possible. For this reason it is important to plan in advance how the settings for the individual switch ports must be set. 

Using ARP Inspection requires the switch to inspect all ARP packets. This increases the CPU load on the device.


Requirements:


Procedure:

1) Configuring ARP Inspection on the switch:

1.1) Connect to the web interface of the switch and navigate to the menu Security → ARP Inspection → Configuration.

1.2) Under ARP Inspection Configuration, set the Mode to Enabled

The button Translate dynamic to static moves entries from the Dynamic ARP Inspection Table to the Static ARP Inspection Table. After saving the configuration as the Start Configuration (see step 3), they are then permanently stored in the switch.

1.3) Under Port Mode Configuration, set the mode for any ports that are connected to devices using DHCP to Enabled. This activates ARP Inspection on these ports. Leave the ports connected to the router and any other switch (in this example Ports 1 and 2) set to Disabled, so that ARP Inspection is not used on these ports.

Click Apply afterwards.



2) Configuring the Static ARP Inspection Table (optional):

To allow communication with devices with a static IP address that are directly connected to the switch (except for the router and other switches), the IP and MAC address of this device must be stored in the Static ARP Inspection Table. This is also necessary if a device behind another switch is to access the device with the static IP address.

2.1) Switch to the menu Security → ARP Inspection → Static Table and click Add new entry to create a static entry for a device with a fixed IP address (such as an access point).

2.2) Modify the following parameters and then click Apply:

  • Port: Select the Port that the device with the static IP address is connected to.
  • VLAN ID: Enter the VLAN ID of the network where the device is located.
  • MAC address: Enter the MAC address of the device.
  • IP address: Enter the IP address of the device.



3) Save the configuration as the startup configuration:

2.3) With the configuration complete, go to the menu Maintenance → Save/Restore → Save Start and click Save so that the configuration is saved as a Start configuration.

The start configuration is retained even if the device is restarted or there is a power failure.

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH