Dynamic ARP Protection in an HP Procurve Network

ARP Poisoning is a problem on Ethernet based networks.

If you have HP Procurve switches and a DHCP enabled network, you have the option of enabling ARP Protection.

In order for ARP Protection to work, DHCP Snooping also has to be enabled. This is because the switch builds a table of MAC to IP pairs based on the address that the DHCP server allocates to clients. Once the switch has this table, it knows which MAC addresses should be allowed to communicate using certain IP addresses.

Configuring ARP Protection is simple, just trust your uplink ports and protect a VLAN. Protection can also be enabled on a port-by-port basis.

First enable DHCP snooping if it already hasn’t been enabled.

switch# config t

Enable it globally

switch(config)# dchp-snooping

Trust inter-switch links

switch(config)# interface 51

switch(eth-51)# dhcp-snooping trust

switch(eth-51)# exit

switch(config)# interface 52

switch(eth-52)# dhcp-snooping trust

switch(eth-52)# exit

Then protect the specific VLAN that needs to be protected.

switch(config)# dchp-snooping vlan 2222

Once DHCP-snooping has been configured, arp protection can be enabled.

Enable it globally

switch(config)# arp-protect

Trust inter-switch links

switch(config)# arp-protect trust 51-52

Then protect the specific VLAN that needs to be protected.

switch(config)# arp-protect vlan 2222.

This is a very basic overview of dynamic ARP protection. Here are some diagrams to help explain what arp poisoning is, and what arp protection does to protect against it. arp poisoning

arp protection

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>