How to protect an Instant WLAN from ARP attacks? What are the methods supported?

By Arunkumar posted Jul 03, 2014 11:47 PM


This article will have a focus on understanding and preventing the ARP attacks on the Aruba Instant™ Access Points running Aruba Instant™ Software.

ARP attacks (also known as the Man-In-The-Middle [MITM]) come in many forms and essentially allow an attacker to act as a proxy between the victim and any host the victim has established connections with.  It is a form of active eavesdropping in which the attacker is controlling the conversation without the knowledge of the victim.


The configuration and verification steps mentioned in this article are tested on IAP 105 running



Environment : This article applies to all the IAPs running a minimum OS version of


Aruba Instant™ Software protects WLAN against ARP attacks
You can configure firewall settings to protect the network against attacks using Instant using Instant UI or CLI.
In the Instant UI
To configure firewall settings:
1. Click the Security link at the top right corner of Instant main window.
2. Click the Firewall Settings tab. The Firewall Setting tab contents are displayed.
3. To configure protection against security attacks, select the following check boxes:
     - Select Drop bad ARP to enable the IAP to drop the fake ARP packets.
     - Select Fix malformed DHCP to the IAP to fix the malformed DHCP packets.
     - Select ARP poison check to enable the IAP to trigger an alert notifying the user about the ARP poisoning that may have been caused by the rogue APs.
4. Click OK.
In the CLI
To configure firewall settings to prevent attacks
(Instant Access Point)(config)# attack
(Instant Access Point)(ATTACK)# drop-bad-arp-enable
(Instant Access Point)(ATTACK)# fix-dhcp-enable
(Instant Access Point)(ATTACK)# poison-check-enable
(Instant Access Point)(ATTACK)# end
(Instant Access Point)# commit apply
Drop bad ARP - For the ARP packet from WIFI, if  the ARP sender mac address and the Ethernet source mac address are different, we will drop the ARP packet and update the dropped ARP counters. 
ARP Poison check - ARP Poisoning, Man-In-The-Middle, is a very effective attack. As the Man-In-The-Middle attack requires the attacker to be on the same network as the intended victims, an attack would need to be initiated from the inside of the network. AP will check and alarm.
Fix malformed DHCP - If the DHCP mac address and Ethernet  destination mac address don’t match and the client is not in the AP’s association table, AP will fix the DHCP frame.
To view the configuration status:
(Instant Access Point)# show attack config
Current Attack
Attack      Status
 ------       ------
drop-bad-arp Enabled
fix-dhcp Enabled
poison-check Enabled

To view the attack statistics
(Instant Access Point)# show attack stats
attack counters
Counter                                             Value
-------                                               -------
arp packet counter                                10
drop bad arp packet counter                  3
dhcp response packet counter                0
fixed bad dhcp packet counter                0
send arp attack alert counter                  3
send dhcp attack alert counter                0
arp poison check counter                        0
garp send check counter                         0