dhcp arpbind enable

After authorized ARP is enabled, the DHCP server not only assigns an IP address to a client, but also adds an ARP entry containing the MAC address, and IP address of the client automatically to the ARP table.

Authorized ARP prevents the DHCP server from dynamically learning illegitimate ARP responses. That is, only clients to which the DHCP server assigns IP addresses can add ARP entries (called authorized ARP entries in the following) automatically based on ARP response packets. If an attacker forges the IP address or MAC address of a legitimate DHCP client to originate an ARP request, the IP address or MAC address does not match authorized ARP entries recorded by the gateway (when the DHCP server serves as the gateway) and no response is returned. In this way, the attacker fails to access the network by forging a legitimate IP address or MAC address.

The priorities of authorized ARP entries are higher than those of dynamic ARP entries, but lower than those of static ARP entries. A new authorized ARP entry overrides the duplicate dynamic ARP entry, but not the static ARP entry. However, the authorized ARP entry can be overridden by a duplicate static ARP entry.

Authorized ARP, valid on only devices where the DHCP server is enabled, applies to the scenario where the DHCP server and DHCP client reside on the same network segment, not the DHCP relay scenario.