ARP Proxy on AP130s

  • 1
  • Question
  • Updated 2 months ago
Hi All

I'm trying to figure if I can disable ARP proxy in my network policy. 

There are two SSID's guest and corporate, each being in its own VLAN, in addition AP's themselves are in management VLAN.

Access points are connected to L2 switches where all the above vlans exist and are stretched across to L3 switch which acts as a DHCP relay for all3 vlans. There is no ARP proxy on the switches.

Now I'm not sure whether I need ARP proxy to be enabled in this setup. I believe it's due to arp proxy that clients in guest SSID are able to probe with ARP for IP's/MAC's beyond their own subnet.
 
Photo of Patryk Szenfeld

Patryk Szenfeld

  • 38 Posts
  • 0 Reply Likes

Posted 5 months ago

  • 1
Photo of Patryk Szenfeld

Patryk Szenfeld

  • 38 Posts
  • 0 Reply Likes

Reason I'm asking as it is possible from WIFI client perspective use certain tools utilizing ARP to query IP addresses beyond network they are in, mainly switches. This is causing some security concerns that we are trying to address.


Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
ARP-Proxy is able to be disabled via your Management Options that are tied to your Network Policy.  For legacy HM, it's under Additional Settings -> Service Settings -> Management Options and checking a box.  Unsure for HMNG as I dont have one readily available to look at. 
Photo of Patryk Szenfeld

Patryk Szenfeld

  • 38 Posts
  • 0 Reply Likes
Thanks Brian but I'm trying to figure what would be potential implications of turning it off. Not sure whether any of proprietary  Aerohive protocols rely on proxy arp in any way
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Sorry, misread your original post.  I cant imagine any Aerohive specific protocols relying on that.  The ARP request would simply get passed down from the AP to the clients vs. the AP responding directly to them - thus saving the client devices some additional sleep time (battery saving potentially).
Photo of Patryk Szenfeld

Patryk Szenfeld

  • 38 Posts
  • 0 Reply Likes

I need to bump this. I have disabled ARP proxy but I'm still able to get a bunch of IP's and MAC addresses beyond the network I'm connected to, this is major security concern at our place.

I've noticed on AP130 there is the following command available:

forwarding-engine arp-shield enable - I'm not sure what it does exactly

At the moment for testing purposes I have the below in place

no forwarding-engine proxy-arp enable

forwarding-engine arp-shield enable

any input is much appreciated