Can Static ARP Implement the Binding of IP Addresses and MAC Addresses?

Static ARP can implement the binding of IP addresses and MAC addresses to prevent ARP entries from being updated by forged ARP packets sent by attackers. However, even if static ARP is configured, the users who change IP addresses without permission can still access external networks. To address this problem, configure IP source guard (IPSG).

Dynamic ARP inspection (DAI) and egress ARP inspection (EAI) can also implement the binding of IP addresses and MAC addresses. The application scenarios for static ARP, IPSG, DAI, and EAI are different. You can deploy these functions according to service requirements.

Static ARP

Scenario

Static ARP entries are applicable when:

Networks contain critical devices such as servers. In this case, static ARP entries can be configured on the switch. As such, network attackers cannot update the ARP entries containing IP addresses of the critical devices on the switch using ARP attack packets, thereby ensuring communication between users and the critical devices.
Networks contain user devices with multicast MAC addresses. In this case, static ARP entries can be configured on the switch. In doing so, a device, by default, does not learn ARP entries when the source MAC addresses of received ARP packets are multicast MAC addresses.
A network administrator wants to prevent an IP address from accessing devices. In this case, static ARP entries can be configured on the switch to bind the IP address to an unavailable MAC address.

Implementation

Static ARP entries cannot be aged or overwritten by dynamic ARP entries. You can run the arp static command to manually configure a static ARP entry, or use automatic scanning and fixed ARP entries to batch configure static ARP entries.

IPSG

Scenario

IPSG is used to prevent unauthorized users from forging IP addresses. For example, after IPSG is configured, users who change IP addresses without permission on a network are denied access to external networks.

In IP address forging scenarios, attackers use their own MAC addresses but embezzle others' IP addresses for communication to obtain the attacked user's rights or the packets that should be sent to the attacked user.

Implementation

IPSG is used to verify IP packets against dynamic or static DHCP binding tables.

When forwarding an IP packet, a device compares the source IP address, source MAC address, interface, and VLAN in the IP packet with the information in the binding table (The comparison items are configurable. For example, you can configure only the source IP address and VLAN information for comparison.)

If the parameters match the table information, the user is authorized, and the device forwards the IP packet.
If the parameters do not match the table information, the device considers that the packet an attack and discards the packet.

When configuring IPSG, you can run the user-bind static command to configure a static binding table.

DAI

Scenario

DAI is used to prevent Man in The Middle (MiTM) attacks. If DAI is not configured, ARP entries of authorized users on a device may be updated by the forged ARP packets sent by attackers.

Implementation

DAI is used to verify ARP packets against dynamic or static DHCP binding tables.

When receiving an ARP packet, a device compares the source IP address, source MAC address, interface, and VLAN in the ARP packet with the information in the binding table. (The comparison items are configurable. For example, you can configure only the source IP address and VLAN information for comparison.)

If the parameters match the table information, the user is authorized, and the device allows the ARP packet to pass.
If the parameters do not match the table information, the device considers that the packet an attack and discards the packet.

When configuring DAI, you can run the user-bind static command to configure a static binding table.

EAI

Scenario

EAI is used to avoid broadcast of ARP Request packets. It reduces the impact of ARP broadcast packets on the network and ensures normal services for users.

Implementation

EAI determines the outbound interface of an ARP Request packet according to the dynamic DHCP snooping binding table and forwards the packet through this outbound interface to prevent broadcast.