Block bad ARP request

ditonet · November 25, 2010, 11:46am

Hi,

In my customer network is device (CCTV recorder) which send bad ARP requests.

Packet Info:
    Packet Number:                      000008
    Packet Length:                      64
    Captured Length:                    60
    Delta Time                          1.869722 Second
Ethernet Type II                        [0/14]
    Destination Address:                FF:FF:FF:FF:FF:FF  [0/6]
    Source Address:                     52:54:4C:EE:77:34  [6/6]
    Protocol:                           0x0806  (ARP)  [12/2]
ARP - Address Resolution Protocol       [14/28]
    Hardware type:                      1  (Ethernet)  [14/2]
    Protocol Type:                      0x0800  [16/2]
    Hardware Address Length:            6  [18/1]
    Protocol Address Length:            4  [19/1]
    Type:                               1  (ARP Request)  [20/2]
    Source Physics:                     52:54:4C:EE:77:34  [22/6]
    Source IP:                          170.151.24.203  [28/4]
    Destination Physics:                00:00:00:00:00:00  [32/6]
    Destination IP:                     192.168.1.10  [38/4]
Extra Data:                             [42/18]
    Number of Bytes:                    18 bytes  [42/18]
FCS:
    FCS:                                0x77F71491

I tried to stop these packets with ACL rule (IP Src = 170.151.24.203, redirect to ‘no port selected’) but it doesn’t work.
Does RB250G allow all L2 broadcast frames, even if L3 block rule exists?

Regards, Grzegorz.

kirshteins · November 30, 2010, 8:16am

Try filtering by Ethertype:0x0806 and Src. MAC.

ditonet · December 9, 2010, 8:25am

Hi,

Try filtering by Ethertype:0x0806 and Src. MAC.

This stopped any ARP response from device and make it unreachable.
Finnaly I fixed this with RB750, bridged two ports and set bridge filter to block ARP from address 170.151.24.203.
Works perfectly, but my question is: Why MT is able to make filter on router but not on managed switch?

Regards, Grzegorz.

kirshteins · December 9, 2010, 8:46am

Unfortunately, yes, this rule blocks all ARP traffic from the device. 250GS hardware does not support more advanced ARP matching features.