Configuring Arp Detection Based On Specified Objects - H3C S5120-SI Series Configuration Manual
Hide thumbs
Also See for S5120-SI Series:
- Command reference manual (910 pages) ,
- Configuration manual (745 pages) ,
- Operation manual (697 pages)
Table of Contents
Advertisement
To do...
3.
Enable ARP detection for
the VLAN
4.
Return to system view
5.
Enter Ethernet interface
view
6.
Configure the port as a
trusted port
7.
Return to system view
8.
Specify an ARP attack
detection mode
9.
Configure a static IP-to-
MAC binding for ARP
detection
If all the detection types are specified, the system uses IP-to-MAC bindings first, then DHCP snooping entries, and
•
then 802.1X security entries. If an ARP packet fails to pass ARP detection based on static IP-to-MAC bindings, it
is discarded. If the packet passes this detection, it will be checked against DHCP snooping entries. If a match is
found, the packet is considered to be valid and will not be checked against 802.1X security entries; otherwise,
the packet is checked against 802.1X security entries. If a match is found, the packet is considered to be valid;
otherwise, the packet is discarded.
Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP snooping is enabled.
•
Before enabling ARP detection based on 802.1X security entries, make sure that 802.1X is enabled and the
•
802.1X clients are configured to upload IP addresses.
Configuring ARP detection based on specified objects
You can also specify objects in ARP packets to be detected. The objects involve:
•
src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC
address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the packet
is discarded.
•
dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-
one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
Use the command...
arp detection enable
quit
interface interface-type
interface-number
arp detection trust
quit
arp detection mode {
dhcp-snooping | dot1x
| static-bind }
arp detection static-
bind ip-address mac-
address
24
Remarks
Required
Disabled by default. That is, ARP detection
based on DHCP snooping entries/802.1X
security entries/static IP-to-MAC bindings is
not enabled by default.
—
—
Optional
The port is an untrusted port by default.
—
Required
No ARP attack detection mode is specified by
default; that is, all packets are considered to
be invalid by default.
Optional
Not configured by default.
If the ARP attack detection mode is static-
bind, you need to configure static IP-to-MAC
bindings for ARP detection.
Advertisement
Table of Contents
