AXARPS: Scalable ARP Snooping Using Policy-Based Mirroring of Core Switches

  • Motoyuki OhmoriEmail author
  • Naoki Miyata
  • Ichiroh Suzuta
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 926)


In order to handle a computer security incident or network failure, it is important to grasp a list of pairs of IP and MAC addresses of hosts. Ones may then traditionally poll an Address Resolution Protocol (ARP) table of a core switch at an interval using SNMP or other methods. This traditional method based upon polling, however, has two major drawbacks that (1) some pairs of IP and MAC addresses may not be obtained and (2) incurs a heavy load on a core switch. This paper then proposes AXARPS that is the novel scalable ARP snooping to build a list of pairs of IP and MAC addresses. AXARPS can avoid missing pairs of IP and MAC addresses by monitoring all ARP traffic instead of the traditional method. AXARPS also can reduce a CPU load on a recent high-end core switch by approximately 20% in comparison with the traditional method. AXARPS is scalable because AXARPS incurs no additional CPU load even the number of hosts increases. AXARPS employs a policy-based mirroring of a switch that mirror traffic that matches a specified filter. The policy-based mirroring can then mirror ARP traffic only, and reduce a load on an ARP parsing server.


  1. 1.
    AlaxalA Networks Corporation: Policy based mirroring (2016). (in Japanese). Accessed 7 Nov 2018
  2. 2.
    ALAXALA Networks Corporation: Ax-security-controller (2017). Accessed: 03 June 2017
  3. 3.
    ALAXALA Networks Corporation: Case study: Tokyo university of agriculture and technology (2017). Accessed 01 Oct 2018
  4. 4.
    Fluentd Project: fluentd (2010). Accessed 07 Oct 2018
  5. 5.
    iNetSecSF. Sinetsec sf: Detecting security risk and blocking (2017). (in japanese). Accessed 7 Nov 2018
  6. 6.
    MongoDB, Inc.: mongodb (2018). Accessed 07 Oct 2018
  7. 7.
    Network Research Group: Lawrence Berkeley National Laboratory. arpwatch (2009). Accessed 7 Nov 2018
  8. 8.
    Philippe Biondi and the Scapy community. Scapy: Packet crafting for Python2 and Python3 (2018). Accessed 7 Nov 2018
  9. 9.
    Plummer, D.: Ethernet address resolution Protocol: or converting network Protocol addresses to 48.bit Ethernet address for transmission on Ethernet Hardware. RFC 826 (Standard), November 1982. Updated by RFCs 5227, 5494Google Scholar
  10. 10.
    Python Software Foundation: Python (2001). Accessed 7 Nov 2018
  11. 11.
    Tsujisawa, T., Sakurada, T., Segawa, H., Kawamura, Y., Mishima, K., Hagiwara, Y.: A challenge for full deployment both 802.1x authentication and an automatically isolation function in a campus network Task and correspondence in the operation. J. Acad. Comput. Netw. 22(1), 36–43 (2018)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Tottori UniversityTottoriJapan
  2. 2.ALAXALA Networks CorporationKawasakiJapan

Personalised recommendations