Configuring Arp Attack Protection; Overview; Configuring Periodic Sending Of Gratuitous Arp Packets - HPE FlexNetwork MSR Series Configuration Manual

Configuring ARP attack protection

Overview

ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network
attacks. ARP attacks and viruses threaten LAN security. The device can provide the following
features to detect and prevent such attacks.
Periodic sending of gratuitous ARP packets
Enabling a device to periodically send gratuitous ARP packets helps downstream devices update
their corresponding ARP entries or MAC entries in time. This feature can be used to:
•
Prevent gateway spoofing.
•
Prevent ARP entries from being aged out.
•
Prevent the virtual IP address of a VRRP group from being used by a host.
•
Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured.
Configuring ARP automatic scanning and fixed ARP
ARP automatic scanning is typically used together with the fixed ARP feature.
•
With ARP automatic scanning enabled on an interface, the device automatically scans
neighbors on the interface, sends ARP requests to the neighbors, obtains their MAC addresses,
and creates dynamic ARP entries.
•
Fixed ARP allows the device to change the existing dynamic ARP entries (including those
generated through ARP automatic scanning) into static ARP entries.
The ARP automatic scanning and fixed ARP feature effectively prevent ARP entries from being
modified by attackers. Use the two functions in a small-sized network with stable environment, such
as a cybercafé.
Configuring periodic sending of gratuitous ARP
packets
From the navigation tree, select Advanced > ARP Anti-Attack > Send Gratuitous ARP.
The Send Gratuitous ARP page appears, as shown in
Figure 355 Configuring Gratuitous ARP sending
Figure 355.
335