Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

It is currently Sun Jan 29, 2023 2:28 am

Articles and howtos about TP-Link JetStream switches

Author Message
Post  Post subject: TP-Link TL-SG3210 How to configure ARP Inspection, DHCP Snooping and ARP Scanning  |  Posted: Thu Sep 14, 2017 5:28 am
Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 104


TP-Link TL-SG3210 How to configure ARP Inspection, DHCP Snooping and ARP Scanning

ARP Inspection (or "Dynamic ARP Inspection" as some vendors call it) is a security feature that prevents ARP injection/spoofing attacks in untrusted network segements.

A ARP injection/spoof attack is, in a nutshell, is a situation where an attacker in the same Layer 2 broadcast domain / vlan injects ARP replies of the default gateway on that lan (or any other host for that matter) so that legitimate users send traffic to the attacker instead of the default gateway. This will allow attacker to be man in the middle and find out passwords from unencrypted traffic (not much unencrypted traffic nowadays because 95% of the traffic is running over encrypted sessions). This can have very serious security implications.

How does ARP Inspection help ?
It inspects every ARP request and reply on the untrusted ports and matches the layer 2 (MAC address) and Layer 3 (IP address) against an internal database.

What ar ARP inspection trusted and untrusted ports ?
A trusted port is a port that administrator assumes connects to a safe network segment or device (such as a router). An untrusted port connects to unsafe parts of the network, such as a public network like a public wireless device.

How does ARP inspection what IP to MAC mappings are legit ?
There is a thing called IP arp binding table that gets populated from one or multiple places such as: manual IP/ARP/VLAN/Port binding, DHCP responses via DHCP Snooping (assuming DHCP server is of trust), network scanning (sending ARP to a vlan for a range of IPs and inspecting replies).

How to globally enable ARP inspection TP-Link TL-SG3210 ?



SG3210(config)#ip arp inspection

SG3210(config)#ip arp inspection

Verify ARP inspection is enabled:
SG3210#sh ip arp inspection

ARP detection global status: Enabled

Set ports connected to gateway/routers/servers as trusted:


SG3210(config)#interface gigabitEthernet

SG3210(config)#interface gigabitEthernet 1/0/8

SG3210(config-if)#ip arp inspection trust

SG3210(config-if)#ip arp inspection trust

SG3210#sh ip arp inspection

SG3210#sh ip arp inspection

ARP detection global status: Enabled

ARP detection trusted ports: Gi1/0/1,Gi1/0/7,Gi1/0/8

Now that ARP inspection is enabled, traffic is still allowed because ARP table on gateway, computer and phones is already populated, but those ARP entries will expire.
Once the ARP entries expire, the hosts will refresh them by sending new requests. That's when ARP inspection will start dropping ARP replies because the TL-SG3210 switch ip source binding table is empty. I've enabled ARP inspection before DHCP snooping and ARP scanning on purpose, so that the reader realises that ARP inspection should be enabled at the end.

Enabling DHCP Snooping.
DHCP Snooping enables the switch to analyze DHCP server response packets towards the hosts that are requesting an IP (like when a computer connects to wireless) and maps the IP to mac address in it's source binding table. This allows the switch to know that host with MAC aa:aa:aa:aa:aa:aa has IP assigned by the network administrator (via DHCP server) and it doesnt use that IP illegally.
SG3210(config)#ip dhcp snooping

Also a good practice is to trust DHCP replies from DHCP server on specific port:
SG3210(config)#interface gigabitEthernet 1/0/8
SG3210(config-if)#ip dhcp snooping trust
SG3210#sh ip dhc snooping interface

Interface  Trusted   MAC-Verify  Limit-Rate  Decline   LAG
---------  -------   ----------  ----------  -------   ---
Gi1/0/1    Disabled  Enabled     0           Disabled  N/A
Gi1/0/2    Disabled  Enabled     0           Disabled  N/A
Gi1/0/3    Disabled  Enabled     0           Disabled  N/A
Gi1/0/4    Disabled  Enabled     0           Disabled  N/A
Gi1/0/5    Disabled  Enabled     0           Disabled  N/A
Gi1/0/6    Disabled  Enabled     0           Disabled  N/A
Gi1/0/7    Disabled  Enabled     0           Disabled  N/A
Gi1/0/8    [b]Enabled[/b]   Enabled     0           Disabled  N/A
Gi1/0/9    Enabled   Disabled    0           Disabled  N/A
Gi1/0/10   Enabled   Disabled    0           Disabled  N/A

Now disconnect a computer/phone/tablet from wireless and reconnect it. This will trigger the computer/phone/tablet to request IP and the switch will snoop the DHCP response:
SG3210#sh ip source binding

No. Host      IP-Addr         MAC-Addr          VID Port     ACL    Col.
--- ----      -------         --------          --- ----     ---    ----
53 ---    80:7b:1e:19:a7:29 2   Gi1/0/2  ARP-D

DHCP response for above device was snooped by the switch and it populated source binding table.

For exising / already connected hosts (before enabling ARP inspection), ARP scanning needs to be performed only via web interface: Network Security > IP-MAC Binding > ARP Scanning.

In that menu use range (you can skip .1 - the gateway because we assume the gateway is already on an arp inspection trusted port) and vlan.
This will detect all present hosts on that vlan and physical ports.
Two more things need to be done: 1. select all and BIND. 2. Go to Binding Table, select all binding entries with a "Scanning" source and select ARP Detection Protect Type.

It is important to enable DHCP snooping and ARP Inspection (preferably days or weeks after DHCP snooping) in the early stages of network deployment so that ARP-IP-Interface-VLAN mapping database that Arp inspection uses when it inspects ARP packets is already populated.

If ARP inspection is enabled in later stage, ARP Scanning can be used to detect hosts already connected.

Checking ARP Inspection statistics / ARP packets dropped due to missing entries in IP ARP source binding table.
SG3210#sh ip arp inspection statistics

Port     Trust  Stat.          Port     Trust  Stat.
Gi1/0/1  YES    0              Gi1/0/2  NO     13,912
Gi1/0/3  NO     0              Gi1/0/4  NO     23,134
Gi1/0/5  NO     0              Gi1/0/6  NO     0
Gi1/0/7  YES    0              Gi1/0/8  YES    0
Gi1/0/9  NO     0              Gi1/0/10 NO     0

VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX

Display posts from previous:  Sort by  
Print view

Topics related to - "TP-Link TL-SG3210 How to configure ARP Inspection, DHCP Snooping and ARP Scanning"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. Attachment(s) TP-Link JetStream SG3210 V2.0 CLI, User Guide downloads




Thu Sep 14, 2017 4:51 am

admin View the latest post


Who is online
Users browsing this forum: No registered users and 1 guest
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list

Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]