How to secure a network using ARP

From MikroTik Wiki
Jump to: navigation, search

Although hosts in IP network are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another at Layer-2 (EG: Ethernet). Address Resolution Protocol (ARP) provides a mapping between the two different forms of addresses. A router has an ARP table that contains ARP entries. ARP entries consist of IP addresses and corresponding hardware addresses (such as a MAC address). Normally ARP provides a dynamic mapping from an IP address to corresponding hardware address by adding ARP entries automatically as they are discovered, but to increase network security static ARP entries can be created manually. By allowing a router to reply only to those static ARP entries found in the ARP table we restrict access to the router and to the network behind the router to only those IP/Hardware address combinations found in the ARP table. To make a router use only static ARP entries follow the steps listed below:

1. Add ARP entries of hosts you want to accept in WinBox

Arp add hosts.jpg

or in Console

[admin@RB230] ip arp> add address=10.10.10.10 interface=ether2 mac-address=06 \
\... 00:21:00:56:00:12

2. Make ether2 interface only reply to ARP requests using your specified ARP entries in WinBox

Arp replay only.jpg

or in Console

[admin@RB230] > interface ethernet set ether2 arp=reply-only