ARP Security Solutions

You need to select a proper ARP security solution depending on the attack type and symptoms, as described in Table 1 and Table 2.

**Table 1** ARP security solutions to ARP flood attacks
Symptom	Identification	Anti-Attack Function	Function Description	Deployment
Network access speed is slow, users are disconnected, network access is frequently interrupted, users cannot access the network, or services are interrupted. The device fails to learn ARP entries due to high CPU usage, it is disconnected from the NMS, it frequently alternates between master and slave states, its interface indicators blink fast red, or attached devices are disconnected from the network. Ping responses are delayed, packets are lost, or the ping operation fails.	A large number of ARP packets are discarded (according to the display cpu-defend statistics packet-type { arp-request \| arp-reply } all command output). Logs or alarms indicate that the rate of ARP packets has exceeded the upper limit on the device.	Rate limiting on ARP packets	Limits the rate of ARP packets, ensuring that the device has sufficient CPU resources to process other services when receiving a large number of ARP packets.	You are advised to enable this function on the gateway. NOTE: When an access device is enabled with MAC-Forced Forwarding (MFF), the MFF module may forward too many ARP packets with the destination IP addresses that are different from the IP address of the interface receiving these packets, which leads to CPU overload. To resolve this problem, limit the rate of ARP packets globally, in a VLAN, or on an interface.
	A large number of ARP packets are discarded (according to the display cpu-defend statistics packet-type arp-miss all command output). Logs or alarms indicate that the rate of ARP Miss packets has exceeded the upper limit on the device.	Rate limiting on ARP Miss messages	Limits the rate of ARP Miss messages to defend against attacks from a large number of IP packets with unresolvable destination IP addresses, ensuring that the device has sufficient CPU resources to process other services.	You are advised to enable this function on the gateway.
	In capturing packets, you find that the device is receiving a lot of ARP packets whose destination IP address is the device IP address.	Optimized ARP reply	Improves the stack's capability of defending against ARP flood attacks. After optimized ARP reply is configured, the standby/slave switch directly returns an ARP Reply packet when receiving an ARP Request packet of which the destination IP address is the local interface address.	You are advised to configure this function on the stack that is used as the gateway.
	A large number of ARP packets are discarded (according to the display cpu-defend statistics packet-type { arp-request \| arp-reply } all command output).	Strict ARP learning	Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent. This prevents ARP entries from being exhausted by invalid ARP packets.	You are advised to enable this function on the gateway.
		ARP entry limiting	Limits the maximum number of dynamic ARP entries that can be learned by an interface on the device, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.	You are advised to enable this function on the gateway.
		Disabling ARP learning on interfaces	Disables an interface from learning ARP entries, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.	You are advised to enable this function on the gateway.

**Table 2** ARP security solutions to ARP spoofing attacks
Symptom	Identification	Anti-Attack Function	Function Description	Deployment
Users are disconnected, network connections are frequently interrupted, users cannot access the network, or services are interrupted. Ping packets are lost, or the ping operation fails.	You run the display arp all command to find that the user ARP entries have been modified.	ARP entry fixing	After the device with this function enabled learns an ARP entry for the first time, it does not update or updates only part of the ARP entry, or sends a unicast ARP Request packet to validate the ARP packet for updating the entry. This ensures that valid ARP entries will not be replaced by attackers using forged ARP packets. The device supports three ARP entry fixing modes: fixed-all, fixed-mac, and send-ack.	You are advised to enable this function on the gateway.
Network access speed is low. Ping responses are delayed, or packets are lost.	When checking user ARP entries, you find that the ARP entries of the peer user communicating with the local user have been modified.	Dynamic ARP inspection	Allows a device to compare the source IP address, source MAC address, interface number, and VLAN ID of an ARP packet with DHCP snooping binding entries. If an entry is matched, the device considers the ARP packet valid and allows the packet to pass through. If no entry is matched, the device considers the ARP packet invalid and discards the packet. This function is available only for DHCP snooping scenarios.	You are advised to enable this function on an access device. NOTE: When ARP learning triggered by DHCP is enabled on the gateway, this function can be enabled on the gateway.
Users are disconnected, network connections are frequently interrupted, users cannot access the network, or services are interrupted. The device is disconnected from an NMS, an attached device is disconnected, or the gateway address conflicts occur. Ping packets are lost, or the ping operation fails.	When checking user ARP entries, you find that the gateway's ARP entry has been modified. There are gateway conflict logs or alarms on the device.	ARP gateway anti-collision	Prevents gateway ARP entries on hosts from being modified by attackers using bogus gateway IP addresses.	You are advised to enable this function on the gateway.
Network access speed is slow, users are disconnected, network access is frequently interrupted, users cannot access the network, or services are interrupted. Ping responses are delayed, packets are lost, or the ping operation fails.	When checking user ARP entries, you find that the ARP entries of the gateway or peer user communicating with the local user have been modified.	Gratuitous ARP packet sending	Allows the device used as the gateway to periodically send ARP Request packets whose destination IP address is the device IP address to update the gateway MAC address in ARP entries. This function ensures that packets of authorized users are forwarded to the gateway and prevents hackers from intercepting these packets.	You are advised to enable this function on the gateway.
Network access speed is slow, users are disconnected, network access is frequently interrupted, users cannot access the network, or services are interrupted. The device is disconnected from an NMS, an attached device is disconnected, or the gateway address conflicts occur. Ping responses are delayed, packets are lost, or the ping operation fails.	You run the display arp all command to find that the user ARP entries have been modified.	MAC address consistency check in an ARP packet	Defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header.	You are advised to enable this function on the gateway.
	In capturing packets, you find that invalid packets are being sent to initiate ARP spoofing attacks.	ARP packet validity check	Allows the device to filter out packets with invalid MAC addresses or IP addresses. The device checks ARP packets based on source MAC addresses, destination MAC addresses, or IP addresses.	You are advised to enable this function on the gateway or an access device.
	You run the display arp all command to find that the user ARP entries have been modified.	Strict ARP learning	Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent. This prevents the device from incorrectly updating ARP entries for the received bogus ARP packets.	You are advised to enable this function on the gateway.
Network access speed is slow, users are disconnected, network access is frequently interrupted, users cannot access the network, or services are interrupted. Ping responses are delayed, packets are lost, or the ping operation fails.	When checking user ARP entries in DHCP snooping scenarios, you find that the ARP table of the peer user communicating with the local user has been modified.	ARP learning triggered by DHCP	Allows the device to generate ARP entries based on received DHCP ACK packets. When many DHCP users connect to a network device, the device needs to learn and maintain many ARP entries, affecting device performance. This function prevents this problem. You can also configure DAI to prevent ARP entries of DHCP users from being modified maliciously.	You are advised to enable this function on the gateway.