This article explains the “drop bad ARP feature” introduced in IAP OS version 22.214.171.124-126.96.36.199.
“Drop bad ARP” is one of the methods of tackling ARP attacks on the network.
For any ARP packet from WiFi, if the ARP sender mac address and the Ethernet source mac address are different, the IAP drops the ARP packet and updates the dropped ARP counters.
The configuration and verification steps mentioned in this article are tested on IAP 105 running 188.8.131.52-184.108.40.206.
Environment : This article applies to all the IAPs running a minimum OS version of 220.127.116.11-18.104.22.168.
- Navigate to Security > Firewall Settings
- Enable “Drop bad ARP” option from the drop down.
“show attack config” command shows whether “Drop bad ARP” option is enable or disabled.
“Show attack stats” commands will show the number of bad arp packets that have been dropped.
A packet capture can help to verify why the ARP packets are dropped as shown below:
Here, the ethernet Source MAC and Sender MAC address are different in the sample GARP packet, hence, the AP will drop it.