Instant On - Wired

 View Only
  • 1.  1930: Question about ARP attack protection and DHCP snooping

    Posted 11 days ago
     
    Question about ARP attack protection and DHCP snooping
     
    1. ARP attack protection:
    Does ARP attack protection have to be activated simultaneously for an interface and the VLAN active on it in order to take effect? Manual Page 205: Figure 166. (Interface) + Figure 169. (VLAN)
     
    Example: Interfaces 10-20 are untagged VLAN 30 for direct client connection
     
    Does ARP Attack Protection have to be activated for interfaces 10-20 and for VLAN 30 for it to take effect?
    (ARP attack protection activated globally) 
     
     
    2. if I connect a PC with a fixed IP address (no DHCP) to the interfaces 10-20, it does not receive network access and is blocked by ARP Attack Protection.
     
    Am I right in assuming that this happens because ARP Attack Protection looks for the IP address in the DHCP snooping database? If the DHCP server has never assigned this IP, the IP is not in the database and ARP Attack Protection will drop the traffic, correct?
     
     
    3. is the right solution here to create ARP access control rules (IP+MAC) for devices with a fixed IP address (printers or specific computers) and associate them with the vlan?
     
    thanks in advance! :)


    ------------------------------
    LO ipro
    ------------------------------


  • 2.  RE: 1930: Question about ARP attack protection and DHCP snooping

    Posted 3 days ago

    Hi,

    1) Yes, From what I understand, you need to:

    • Enable "ARP Attack Protection" in the "Global Configuration",  and
    • Set the "Trust Mode" to "Untrusted" On interfaces  10 -> 20, and
    • Enable "ARP Attack Protection" on VLAN 30

    2) Yes,  see last comment in https://community.arubanetworks.com/discussion/dhcp-snooping-not-working-as-expected 

    3) Yes, try Adding a DHCP Snooping Binding to the "Binding Database" on the DHCP Snooping screen.

    Another option is to try connecting the devices with static IP addresses to a specific interface & set that interface as "trusted" in "ARP attack protection"



    ------------------------------
    Travis Thorne
    ------------------------------