Enabling Arp Detection Based On Dhcp Snooping Entries/802.1X Security Entries/Static Ip-To-Mac Bindings - H3C S5120-SI Series Configuration Manual

Figure 4 Man-in-the-middle attack
Host A
IP_ A
MAC_ A
ARP detection mechanism
With ARP detection enabled for a specific VLAN, ARP messages arrived on any interface in the VLAN are
redirected to the CPU to have their MAC and IP addresses checked. ARP messages that pass the check
are forwarded, and other ARP messages are discarded.
Enabling ARP detection based on DHCP snooping
entries/802.1X security entries/static IP-to-MAC bindings
With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet
received from the VLAN against the DHCP snooping entries, 802.1X security entries, or static IP-to-MAC
binding entries. You can specify a detection type or types as needed.
Process for ARP detection based on DHCP snooping entries for a VLAN
•
Upon receiving an ARP packet from an ARP untrusted port, the device compares the ARP packet
against the DHCP snooping entries.
○
If a match is found, that is, the parameters (such as IP address, MAC addresses, port index, and
VLAN ID) are consistent, the ARP packet passes the check.
○
If not, the ARP packet does not pass the check.
•
Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP packet.
•
If ARP detection is not enabled for the VLAN, the ARP packet is not checked even if it is received
from an ARP untrusted port.
Process for ARP detection based on 802.1X security entries
Switch
Forged
ARP reply
Host B
IP_B
MAC_B
Host C
IP_C
MAC_C
Forged
ARP reply
22