ARP inspection
[SSG 7.5+] ARP inspection mode allows furter checking of ARP-packet authenticity:
- for the ARP-request: it checks the source MAC and IP addresses correspondence with the stored ones in the UDR
- or the ARP-reply: it checks the target MAC and IP addresses with the stored ones in the UDR
Additionally, the ARP request can be validated: the MAC address from the Ethernet header has to be the same as the MAC address of the ARP request source (ARP request Sender hardware address (SHA) field).
To enable the mode you should use the bras_arp_inspection configuration option specified in the fastdpi.conf:
- 0 - ARP inspection mode is disabled
- 1 - ARP inspection mode is enabled
- 2 - ARP inspection mode is enabled + ARP request validation is performed
When the autonomous system termination mode is enabled, ARP inspection is applicable just for those ARP requests whose initiator IP Address (sender protocol address) belongs to the terminated autonomous system (with local and term flags).