ARP Guard is an alternative to Dynamic ARP Inspection (DAI) for protection against ARP poisoning.
Note
ARP Guard is supported only on devices based on the DNX chipset family. For a list of such devices, see Supported Hardware.Internet exchange points (IXPs) have a flat Layer 2 topology to provide any-to-any connectivity among BGP routers from connected ISPs, CSPs, and enterprises. As an IP host, each BGP peering router uses Address Resolution Protocol (ARP) to determine the MAC address of its BGP peers.
ARP Guard, like DAI, is effective against the various methods of ARP poisoning. For more information, see ARP Poisoning.
The ARP Guard feature uses a set of ACL-like commands to build a table of allowed IP addresses on the link. As a result, when an ARP reply—either due to gratuitous ARP or in response to a normal ARP request—is received on a port facing the BGP router, the reply is compared to the table of allowed IP addresses. ARP packets that do not match the entries are dropped. Matching ARP packets are forwarded.
For more information about the ACL, see Create an ARP Access Control List.