Reset Search



How to prevent/mitigate IP-spoofing of a VRRP-gateway

« Go Back


TitleHow to prevent/mitigate IP-spoofing of a VRRP-gateway
Can we prevent or mitigate IP-spoofing of a VRRP-gateway?
  • VOSS
  • VSP 9000

You can prevent VLAN logical IP spoofing by blocking the external use of the device IP address. 
A configurable option is provided, for each port, which detects a duplicate IP address (that is, an address that is the same as the device VLAN IP address) and blocks all packets with a source or destination address equal to that address.

If an ARP packet is received that has the same source IP address as the logical VLAN IP address of the receiving port, all traffic coming to that port (with this MAC address as source/destination address) is discarded by the hardware. After detecting a duplicate IP address, the device sends a gratuitous ARP packet to inform devices on the VLAN about the correct MAC address for that IP address. You can specify a time on a configurable global timer after which the MAC discard record is deleted, and the device resumes accepting packets from that MAC address.

If you use Split MultiLink Trunking (SMLT), you must configure this option on both SMLT, aggregation devices to avoid connectivity issues

Important: After you enable the IP spoofing feature, you must restart the device.

Additional notes



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255