ARP Inspection

Policy > ARP Defense > ARP Inspection

Hillstone devices support ARP Inspection for interfaces. With this function enabled, the system will inspect all the ARP packets passing through the specified interfaces, and compare the IP addresses of the ARP packets with the static IP-MAC bindings in the ARP list and IP-MAC bindings in the DHCP Snooping list:

If the IP address is in the ARP list and the MAC address is matched, the ARP packet will be forwarded;
If the IP address is in the ARP list but the MAC address is not matched, the ARP packet will be dropped;
If the IP address is not in the ARP list, continue to check if the IP address is in the DHCP Snooping list;
If the IP address is in the DHCP Snooping list and the MAC address is also matched, the ARP packet will be forwarded;
If the IP address is in the DHCP Snooping list but the MAC address is not matched, the ARP packet will be dropped;
If the IP address is not in the DHCP Snooping, the ARP packet will be dropped or forwarded according to the specific configuration.

In the ARP Inspection page, you can perform the following actions:

Click New or double-click the item to configure the VLAN settings or the ARP Inspection function of the interface.
Click Delete to delete the selected ARP inspection entries from the table.
Click Advanced to configure the exception port. The ARP inspection will not inspect packets that pass through the exception port.

Options in the Interface Configuration dialog:

Option	Description
VLAN ID	Type the ID of the VLAN that you want to enable the ARP Inspection function.
ARP Inspection	Select Enable to enable the ARP Inspection function for the VLAN.
Action	Select Drop or Forward as needed to process ARP packets accordingly if the packets' IP addresses are not in the ARP list.

Options in the Advanced Options dialog:

Option	Description
Edit	Configure the ARP rate of the selectd interface. ARP rate refers to the number of ARP packets received per second on the interface. If the number exceeds the specified value, the system will drop the excessive ARP packets. The value range is 0 to 10000. The default value is 0, i.e., no rate limit.
Trusted/Untrusted	Configure the trusted interfaces and the untrusted interfaces. ARP inspection will not inspect the packets that pass through the trusted interfaces and inspect the packets that pass through the untrusted interfaces.