ARP Inspection

System supports ARP Inspection for interfaces. With this function enabled, system will inspect all the ARP packets passing through the specified interfaces, and compare the IP addresses of the ARP packets with the static IP-MAC bindings in the ARP list and IP-MAC bindings in the DHCP Snooping list:

• If the IP address is in the ARP list and the MAC address is also matched, the ARP packet will be forwarded;
• If the IP address is in the ARP list but the MAC address is not matched, the ARP packet will be dropped;
• If the IP address is not in the ARP list, continue to check if the IP address is in the DHCP Snooping list;
• If the IP address is in the DHCP Snooping list and the MAC address is also matched, the ARP packet will be forwarded;
• If the IP address is in the DHCP Snooping list but the MAC address is not matched, the ARP packet will be dropped;
• If the IP address is not in the DHCP Snooping, the ARP packet will be dropped or forwarded according to the specific configuration.

This section describes how to configure ARP Inspection.

Configuring ARP Inspection

Both the VSwitch and VLAN interface support ARP Inspection. This function is disabled by default.

To configure ARP Inspection, take the following steps:

1. On the Navigation pane, click Configure > Security > ARP Defense to visit the ARP Defense page.
2. Click ARP Inspection.
3. In the ARP Inspection dialog, configure ARP Inspection for a VLAN. Type the VLAN ID into the Vlan (range: 1-4094) box, and click Add. The specified VLAN will be displayed in the list below. Select the corresponding Check check box to enable ARP Inspection for the VLAN, and click Drop or Forward as needed to process ARP packets accordingly if the packets' IP addresses are not in the ARP list.
4. Configure ARP Inspection for other interfaces.
5. To configure an exception port (ARP Inspection will not be applied to the packets on this port), on the Advanced tab, select the Disable check box, and select the exception port(s). If needed, also double-click the cell in the ARP rate (per sec) column of the port to edit it. ARP rate refers to the number of ARP packets received per second on the interface. If the number exceeds the specified value, system will drop the excessive ARP packets. The value range is 0 to 10000. The default value is 0, i.e., no rate limit.
6. Click OK to save your changes and return to the ARP Defense page.