.. _prevent-static-arp:

=============================
Controlling Devices Using Static ARP
=============================

If a device sets the MAC address in the ARP table as static, a policy-violating device may bypass network access control and communicate freely.

.. note::
  In ARP-based control methods, the network sensor sends ARP control packets to the violating device to enforce network control.

-----------
Solutions
-----------

To control devices using Static ARP, Genian NAC offers the following four control methods:

Static ARP Prevention via Agent
''''''''''''''''''''''''''''''''''''''

- The agent monitors static ARP table entries in real-time and dynamically modifies them.
- Navigate to **Policy > Node Policy > Node Action > ARP Management > Block Static ARP = On**
- Assign the ARP Management Node Action to a node policy to apply it to the device.

Control via 802.1x Configuration
''''''''''''''''''''''''''''''''

802.1x port-based access control is one of the most robust methods for enforcing network security.  
It allows user-based authentication and role-based access control through switch port-level configuration.

**Wired and Wireless 802.1x Setup**

- Enable RADIUS server functionality and integrate it with network devices (Switches, APs).
- Configure the Wired Authentication Manager plugin to match your network environment and apply it to devices.
- Use RADIUS policy settings to enforce network control at the switch port level.

Refer to :ref:`Radius`, :ref:`radius_policy` for further information.

Control via Mirror Configuration
''''''''''''''''''''''''''''''''

- Add a Network Sensor in Mirror Mode on the upstream side of the Static ARP device to perform control via HTTP Redirection.
- Navigate to **System > Sensor Management > Sensor Settings > Blocking Method > HTTP Redirection Drop(Reject)**

.. note::
    Two options for HTTP Redirection:
      - **Drop**: Drops blocked packets without further action.
      - **Reject**: Sends TCP RST for TCP or ICMP Unreachable for UDP.

Control via Strict Mode (Network Sensor)
''''''''''''''''''''''''''''''''''''''''

- This isolates policy-violating devices by redirecting response packets back to the network sensor whenever a violating device attempts to send packets, effectively controlling communication.

- Navigate to **System > Sensor Management > Sensor Settings > Sensor Operation Mode > ARP Strict Mode**

.. note::
    Three options for Strict Mode:
      - **Normal**: Do not apply Strict Mode
      - **Strict**: Apply Strict Mode
      - **Strict (without Gateway)**: Apply Strict Mode but do not control the gateway