Setting up ARP Inspection on an XS- or GS-45xx series switch

Description:

With the aim of preventing attacks on the local network via ARP poisoning, a managed switch can be set up to run the ARP Inspection feature. ARP Inspection scans all ARP packets and checks whether the addresses are stored in the tables DHCP Snooping Dynamic Bindings or DHCP Snooping Static Bindings (learned through DHCP snooping). ARP packets are forwarded in this case, and all other ARP packets are discarded.

Since ARP Inspection relates to DHCP snooping, this function is only suitable for devices that obtain their IP address via DHCP. An exception is therefore required for ports that are connected to a router or switch, otherwise communication with these devices may be restricted. To this end, these ports must be set to "Trusted" in the ARP inspection. Ports connected to end devices that obtain their IP address via DHCP must be set to "Untrusted" (which also applies for ports connected to an access point).

This article describes how to set up ARP Inspection on an XS- or GS-45xx series switch. 

Requirements:

• LCOS SX as of version 5.20 (download latest version)
• Any web browser for access to the web interface
• Configured and functional DHCP Snooping.

Procedure:

1) Configuring ARP Inspection:

1.1) Connect to the web interface of the switch and navigate to the menu Switching → Dynamic ARP Inspection → Global.

1.2) Enable the following parameters and then click Submit:

• Validate Source MAC: The switch checks whether the MAC address of the sender in the ARP packet matches the source MAC address in the Ethernet header. If this is not the case, the packet is dropped. 
• Validate Destination MAC: The switch checks whether the MAC address of the destination in the ARP packet matches the destination MAC address in the Ethernet header (ARP responses only). If this is not the case, the packet is dropped.

1.3) Change to the VLAN tab and click Add.

1.4) Select the VLAN ID where ARP inspection should be used. Then click Submit.

1.5) Go to the Interface tab and mark the interfaces to the router and to another switch (in this example 1/0/1 and 1/0/2). Then click Edit. 

1.6) Enable the Trust State and then click Submit. This disables ARP inspection on these ports.

2) Configuring the ARP inspection ACL (optional):

To allow communication with devices with a static IP address that are directly connected to the switch (except for the router and other switches), the IP and MAC address of this device must be stored in the ACL (Access Control List). This is also necessary if a device behind another switch is to access the device with the static IP address.

2.1) Go to the ACL Summary tab and click Add.

2.2) Enter a descriptive ACL name and then click Submit.

2.3) Go to the ACL Configuration tab, make sure the ACL Name is set to the correct ACL and click Add Rule. 

2.4) Modify the following parameters and then click Submit:

• Sender IP Address: Enter the IP address of the device for which communication should be allowed.
• Sender MAC Address: Enter the MAC address of the device for which communication should be allowed.
• Action : Choose the option Permit to allow communication. Alternatively, the option Deny can be used to prevent communication for the corresponding device.

2.5) Go to the VLAN tab and edit the entry created in steps 1.3 and 1.4. Enter the name of the ACL created in step 2.2 (in this example ARP-ACL) and click Submit. 

3) Save the configuration as the startup configuration:

3.1) With the configuration complete, click Save Configuration in the top right-hand corner to save the configuration as the start configuration.

3.2) Acknowledge the save process by clicking OK.