Proxy ARP detection (was re: best practice for advertising peering fabric routes)

Jimmy Hess mysidia at
Thu Jan 16 05:17:29 UTC 2014

On Wed, Jan 15, 2014 at 10:49 PM, ML <ml at> wrote:
> Shouldn't ARP inspection be a common feature?

Dynamic ARP inspection is mostly useful  only when the trusted ports
receive their MAC to IP address
mapping from a trusted DHCP server,  and the trusted mapping is established
using DHCP snooping.

Or else,  you have a manually entered  entries in the  secure ARP database
of  MAC to IP mappings.
Which most operators would be resistant to dealing with,  because of all
the extra work.

-It's not as if the switches know what the valid subnets are and suppress
ARP requests for outside networks.

Therefore, in most cases; ARP inspection won't be used,  except for DHCP
Arp inspection goes hand-in-hand with increasing resistance against a  Man
in the Middle attack from
a compromised workstation on a LAN,  using ARP hijacking to capture traffic
or distribute malware
to a neighboring workstation.

In most cases, DHCP-based configuration will not be used for routers  (the
very devices that might inadvertently have proxy-arp)....


More information about the NANOG mailing list