Secure the MikroTik by securing the ARP

Also, another Layer2 Security feature is on the ARP level. As you know, every network device needs the source and destination MAC/IP to be able to send the data. In case the device doesn’t have the destination MAC address, he will issue an ARP request using broadcast, and the one who receives the broadcast and has the destination IP address will answer by his MAC address to the source.

The MikroTik Switch will leave the MAC addresses learned dynamically in his ARP Table. By default, MikroTik RouterOS ARP table can have up to 8192 entries, but of course, the more entries you have on the switch the more resources on CPU and memory are used.

For this reason, you can make the ARP entries that you want as static entries.

The best way to do this is in combination with the DHCP server. Once you know that your network is converged, meaning that you know that all devices have received the IP address of the DHCP Server, then you can make them Static.


[mepr-show rules=”319″ unauth=”message”]

Let’s say that my network is converged now. On the DHCP Server Router, we can see on IP arp that there is a dynamic entry for my PC:

What we can do, we have go to the DHCP server and say that all the customers which have received a leased IP address from the DHCP service will have an ARP entry. Let me show you how:

Let’s check the ARP table again, we should see that the entry there.

To make it even more secure, we make it static and on Ether1 we say ARP reply only.

Let’s 1st make it static:

Now we go to Ether1 and we make the ARP to be reply-only:

ARP=Reply-only means that the router will reply to the ARP requests for only the entries which are on the ARP table. That means if we now request again for an IP address from the DHCP server to our PC, he will provide him the IP address because the PC MAC address is in the ARP table of the router. In case we put another PC on Ether1, then he will not get an IP address because that 2nd PC is not in the ARP table of the router.

As we spoke about the ARP modes on the interface and we have seen about ARP-only, they are many other modes that I would like to explain to you as well.

Enabled: Default setting on the interfaces. ARP dynamic entries will be added to the ARP table and ARP requests will be answered.

Disabled: ARP is disabled that means dynamic ARP entries will not be added and the ARP requests will not be answered.

Reply-Only: the router will reply to the ARP but will not add entries to the ARP table.

Proxy-ARP: Mostly used on VPN when you have 2 networks using the same range of IP addresses, then the router will act as a transparent ARP proxy between the 2 networks.

Local-Proxy-ARP: mostly used when you have port isolation and you want the devices connected from each of the isolated ports to communicate to each other. With this mode, the router will reply to all client’s hosts with its own MAC address.


Course Content


Submit a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.