Dynamic ARP Protection - port trust, vlans, and validate


Address Resolution Protocol (ARP) allows hosts to communicate over the network by creating an IP to MAC address mapping used in the transmission of packets. Attackers can use ARP to generate bogus mappings, allowing them to spoof other clients' MAC addresses and intercept traffic destined to them. Additionally, an attacker could generate an unlimited number of artificial ARP entries, filling up the caches of other clients on the network and causing a denial of service (DoS).

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


To enable Dynamic ARP Protection globally on the switch, use the following command:

switch(config)# arp-protect

To designate VLANs 10 and 20 to be protected, ports 1-4 as trusted, and enable source MAC address, destination MAC address, and IP address validation for ARP protected VLANs:

switch(config)# arp-protect vlan 10 20
switch(config)# arp-protect trust 1-4
switch(config)# arp-protect validate src-mac dest-mac ip

See Also


Item Details


References: 800-53|SC-5

Plugin: ArubaOS

Control ID: d32c20c65e7b01b90df84469fce577ca81eb33aedb7997e4e1c773c2bc55f641