To do...
3.
Enable ARP detection for
the VLAN
4.
Return to system view
5.
Enter Ethernet interface
view
6.
Configure the port as a
trusted port
7.
Return to system view
8.
Specify an ARP attack
detection mode
9.
Configure a static IP-to-
MAC binding for ARP
detection
If all the detection types are specified, the system uses IP-to-MAC bindings first, then DHCP snooping entries, and
•
then 802.1X security entries. If an ARP packet fails to pass ARP detection based on static IP-to-MAC bindings, it
is discarded. If the packet passes this detection, it will be checked against DHCP snooping entries. If a match is
found, the packet is considered to be valid and will not be checked against 802.1X security entries; otherwise,
the packet is checked against 802.1X security entries. If a match is found, the packet is considered to be valid;
otherwise, the packet is discarded.
Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP snooping is enabled.
•
Before enabling ARP detection based on 802.1X security entries, make sure that 802.1X is enabled and the
•
802.1X clients are configured to upload IP addresses.
Configuring ARP detection based on specified objects
You can also specify objects in ARP packets to be detected. The objects involve:
•
src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC
address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the packet
is discarded.
•
dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-
one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
Use the command...
arp detection enable
quit
interface interface-type
interface-number
arp detection trust
quit
arp detection mode {
dhcp-snooping | dot1x
| static-bind }
arp detection static-
bind ip-address mac-
address
24
Remarks
Required
Disabled by default. That is, ARP detection
based on DHCP snooping entries/802.1X
security entries/static IP-to-MAC bindings is
not enabled by default.
—
—
Optional
The port is an untrusted port by default.
—
Required
No ARP attack detection mode is specified by
default; that is, all packets are considered to
be invalid by default.
Optional
Not configured by default.
If the ARP attack detection mode is static-
bind, you need to configure static IP-to-MAC
bindings for ARP detection.