To defend against ARP address spoofing attacks, configure
ARP entry fixing on the gateway. The
fixed-mac,
fixed-all, and
send-ack modes are applicable to different scenarios
and are mutually exclusive:
- fixed-mac: When receiving an ARP packet, the device discards
the packet if the MAC address does not match that in the corresponding
ARP entry. If the MAC addresses match but the interface number or
VLAN ID does not match that in the ARP entry, the device updates the
interface number or VLAN ID in the ARP entry. This mode applies to
networks where user MAC addresses are unchanged but user access locations
often change. When a user connects to a different interface on the
device, the device updates interface information in the ARP entry
of the user.
- fixed-all: When the MAC address, interface number, and
VLAN ID of an ARP packet match those in the corresponding ARP entry,
the device updates other information about the ARP entry. This mode
applies to networks where user MAC addresses and user access locations
are fixed.
- send-ack: When the device receives an ARP packet with a
changed MAC address, interface number, or VLAN ID, it does not immediately
update the corresponding ARP entry. Instead, the device sends a unicast
ARP Request packet to the user with the IP address mapped to the original
MAC address in the ARP entry. The device then determines whether to
change the MAC address, VLAN ID, or interface number in the ARP entry
depending on the response from the user. This mode applies to networks
where user MAC addresses and user access locations often change.