How to secure a network using ARP

From MikroTik Wiki
Revision as of 14:44, 5 January 2006 by Uldis (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Although hosts in IP network are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another. Address resolution protocol (ARP) provides a mapping between the two different forms of addresses: IP addresses and whatever type of address the data link uses. A router has a table, that contains ARP entries, that consist of IP addresses and corresponding hardware addresses. Normally ARP provides a dynamic mapping from an IP address to corresponding hardware address by adding ARP entries automatically, but to increase network security, it can be done statically by adding ARP entries manually. Allowing a router replay only to those host requests, that addresses are found in the table, we restrict an access to the router and network behind the router. To make a router use only static ARP entries follow the steps listed below:

1. Add ARP entries of hosts you want to accept

[admin@MikroTik] ip arp> add address=10.10.10.10 interface=ether2 mac-address=06 \
\... :21:00:56:00:12

2. Make ether2 interface only reply to ARP requests using your specified ARP entries

[admin@MikroTik] > interface ethernet set ether2 arp=reply-only