02-16-2016 07:31 AM
I was reviewing some configuration guides because I'm considering purchasing a pair of MLX-e's to power our network. I come across the following:
If the ARP cache does not contain an entry for the destination IP address, the Brocade device broadcasts an ARP request out all its IP interfaces. The ARP request contains the IP address of the destination. If the device with the IP address is directly attached to the Brocade device, the device sends an ARP response containing its MAC address. The response is a unicast packet addressed directly to the Brocade device. The Brocade device places the information from the ARP response into the ARP cache. ARP requests contain the IP address and MAC address of the sender, so all devices that receive the request learn the MAC address and IP address of the sender and can update their own ARP caches accordingly.
Why out all its IP interfaces? Since we typically have customers on those interfaces, what happens if a customer sets up a device that does arp-proxy, and answers the arp request on their interface/vlan, instead of the real customer on the correct one? Wouldn't it be possible to highjack traffic in that case?
02-18-2016 01:27 PM
The broadcast will only be sent out of interfaces in that subnet. That apart, for scenarios involving
ARP hijacking due to Proxy ARP being enabled, there are features like "ARP guard" which would drop the gratuitous ARP/ARP replies and prevent traffic being black-holed.