Checking for Spoofed ARP Packets

You can configure the router to check for spoofed ARP packets received on an IP interface or an IP subinterface using the arp spoof-check command.

By default, E Series routers check all received ARP packets for spoofing and process only those ARP packets whose source IP address is outside the range of the network mask. ARP packets with a source IP address of 0.0.0.0 and the router IP address as the destination address are dropped because the router identifies them as spoofed packets.

In networks with digital subscriber line access multiplexers (DSLAMs), even if you configure the router to check for spoofed ARP packets, DSLAMs perform this task instead of the router. If you disable checking for spoofed ARP packets on the router in such networks, DSLAMs forward the received packets to the router for processing. You can, therefore, configure the router accordingly, depending on the way in which you want spoof-checking to be performed.

You cannot configure ARP spoof-checking on interfaces that do not support ARP, such as loopback interfaces and ATM point-to-point PVCs.

If you disable checking for spoofed ARP packets, all packets received by the router are processed. You can reenable checking for spoofed ARP packets on an interface at any time by using the arp spoof-check command after disabling it.

Before you configure IP, you must create the lower-layer interfaces over which IP traffic flows. All IP configurations will be removed from the interface when you issue the no ip interface command in Interface Configuration mode.

To enable spoof-checking for ARP packets received on an interface:

• Issue the arp spoof-check command in Interface Configuration mode.
  host1(config-if)#arp spoof-check

  Use the no version to disable checking for spoofed ARP packets received on a major IP interface or an IP subinterface.