H3C S5120-SI Series Configuration Manual page 23
Hide thumbs
Also See for S5120-SI Series:
- Command reference manual (910 pages) ,
- Configuration manual (745 pages) ,
- Operation manual (697 pages)
Table of Contents
Advertisement
•
The device, upon receiving an ARP packet from an ARP untrusted port, compares the ARP packet
against the 802.1X security entries.
○
If an entry with identical source IP and MAC addresses, port index, and VLAN ID is found, the
ARP packet is considered valid.
○
If an entry with no matching IP address but with a matching OUI MAC address is found, the ARP
packet is considered valid.
•
Otherwise, the packet is considered invalid and discarded.
Process for ARP detection based on static IP-to-MAC bindings
•
The device, upon receiving an ARP packet from an ARP trusted/untrusted port, compares the source
IP and MAC addresses of the ARP packet against the static IP-to-MAC bindings.
○
If an entry with a matching IP address but a different MAC address is found, the ARP packet is
considered invalid and discarded.
○
If an entry with both matching IP and MAC addresses is found, the ARP packet is considered
valid and can pass the detection.
○
If no match is found, the ARP packet is considered valid and can pass the detection.
Process when all the detection types are specified
The system uses static IP-to-MAC binding entries first, then DHCP snooping entries, and then 802.1X
security entries.
To prevent gateway spoofing, ARP detection based on IP-to-MAC binding entries is required. After
passing this type of ARP detection, users that can pass ARP detection based on DHCP snooping entries or
802.1X security entries are considered to be valid. The last two detection types are used to prevent user
spoofing.
Selecting detection types
You can select detection types according to the network environment.
•
If all access clients acquire IP addresses through DHCP, H3C recommends that you enable DHCP
snooping and ARP detection based on DHCP snooping entries on your access device.
•
If access clients are large in number and most of them use static IP addresses. If access clients are
802.1X clients, H3C recommends that you enable 802.1X authentication, upload of client IP
addresses, and ARP detection based on 802.1X security entries on your access device. After that, the
access device uses mappings between IP addresses, MAC addresses, VLAN IDs, and ports of
802.1X authentication clients for ARP detection.
To enable ARP detection for a VLAN and specify a trusted port:
To do...
1.
Enter system view
2.
Enter VLAN view
Use the command...
system-view
vlan vlan-id
23
Remarks
—
—
Advertisement
Table of Contents
