[IGS-6329-8UP2S4X] How to Implement and Configure ARP Inspection on IGS-6329-8UP2S4X?

1. What is ARP Inspection?

 

 

ARP Inspection protects your network against ARP spoofing/poisoning.

A malicious or misconfigured host can forge ARP packets to change the IP–MAC mapping in another device’s ARP cache and hijack traffic.

On the IGS-6329-8UP2S4X, ARP Inspection validates ARP requests and replies against a list of trusted IP–MAC–VLAN–port bindings and drops invalid ARP packets. 

When you use DHCP Snooping, those trusted bindings are learned automatically from DHCP exchanges. ARP Inspection then uses that same database to allow only the real owner of an IP address to send ARP traffic.

 

2. Example Topology:

 

 

 

• Switch SW1: IGS-6329-8UP2S4X
  • VLAN 1 used as client VLAN
• PC1 (legitimate client)
  • Connected to port 7 of SW1 (access, VLAN 1)
  • Uses DHCP
• PC2 (attacker or misconfigured host)
  • Connected to port 5 of SW1 (access, VLAN 1)
  • Configured with static IP
• DHCP Server
  • Connected to port 8 of SW1 (VLAN 1 or routed to VLAN 1)
  • Scope: 192.168.10.0/24, default gateway 192.168.10.254
  • SVI for VLAN 1: 192.168.10.254/24 (default gateway)
• DHCP Snooping (already configured)
  • Enabled globally on SW1
  • Port 8 is trusted (toward the DHCP server)
  • All other ports, including 5 and 7, are untrusted

- Behavior before enabling ARP Inspection:

 

　

1. PC1 sends DHCPDISCOVER and legally gets IP 192.168.10.101 from the DHCP server.

2. SW1’s Dynamic DHCP Snooping Table shows a binding:

• IP 192.168.10.101 → MAC(PC1), VLAN 1, port 7.

 

 

 

 

　

3. PC2 is manually configured with IP 192.168.10.101 on port 5.

4. When PC2 pings the gateway 192.168.10.254, it sends ARP replies claiming 192.168.10.101 with PC2’s MAC.

 

 

 

• The DHCP server’s ARP entry for 192.168.10.101 changes from PC1’s MAC to PC2’s MAC → PC2 has effectively stolen PC1’s IP.

 

 

DHCP Snooping alone doesn’t stop this, because it controls DHCP replies, not ARP.

- Behavior after enabling ARP Inspection:

 

 

 

• ARP Inspection is enabled globally and on VLAN 1; all access ports (including 5 and 7) are configured for inspection except port 8.
• SW1 now checks ARP packets against the DHCP Snooping/ARP Inspection bindings:

 

 

 

 

• PC1’s ARP packets (IP 192.168.10.101 + PC1 MAC on port 7) match the binding → permitted.

 

 

 

• PC2’s ARP packets (IP 192.168.10.101 + PC2 MAC on port 5) do not match → dropped.

 

 

• Result:
  • PC2 loses connectivity (its ARP traffic is blocked).
  • PC1 continues to reach the gateway and the DHCP server’s ARP entry for 192.168.10.101 stays mapped to PC1’s MAC.

 

3. How ARP Inspection works on IGS-6329-8UP2S4X

ARP Inspection has three main pieces:

• Global Mode – enable/disable ARP Inspection switch-wide.
• Port Mode Configuration – enable/disable ARP Inspection on individual ports. ARP Inspection is effective on a port only when Global Mode is Enabled AND the port’s Mode is Enabled.
• Check VLAN & Log Type
  • Check VLAN: if Enabled, the “Log Type” is taken from per-VLAN configuration; if Disabled, it uses per-port settings.
  • Log Type: None, Deny, Permit, All (which packets are logged).

In addition, there are two ARP Inspection tables:

• Static ARP Inspection Table – manually configured safe bindings (for devices with static IPs).
• Dynamic ARP Inspection Table – up to 1024 dynamic entries learned automatically (typically from DHCP Snooping).

In this DHCP-based lab, we rely mainly on dynamic bindings from DHCP Snooping.