Configuring Periodic Sending Of Gratuitous Arp Packets; Introduction; Configuration Procedure - H3C S5120-SI Series Configuration Manual

[SwitchA-GigabitEthernet1/0/2] quit
Add local access user test.
[SwitchA] local-user test
[SwitchA-luser-test] service-type lan-access
[SwitchA-luser-test] password simple test
[SwitchA-luser-test] quit
Enable ARP detection for VLAN 10.
[SwitchA] vlan 10
[SwitchA-vlan10] arp detection enable
Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an
untrusted port by default).
[SwitchA-vlan10] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] arp detection trust
[SwitchA-GigabitEthernet1/0/3] quit
Enable ARP detection based on 802.1X security entries.
[SwitchA] arp detection mode dot1x
After the preceding configurations, when ARP packets arrive at interfaces GigabitEthernet 1/0/1 and
GigabitEthernet 1/0/2, they are checked against 802.1X security entries.
Configuring periodic sending of gratuitous ARP
packets

Introduction

If an attacker sends spoofed gratuitous ARP packets to hosts on a network, traffic that the hosts want to
send to the gateway is sent to the attacker instead. As a result, the hosts cannot access external networks.
To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP packets
containing its primary IP address or one of its manually configured secondary IP addresses at a specific
interval. In this way, each host can learn correct gateway address information.

Configuration procedure

To configure the gateway to send ARP packets periodically:
To do...
1. Enter system view
2. Enter interface view
3. Enable periodic sending of
gratuitous ARP packets and set the
sending interval
Use the command...
system-view
interface interface-type interface-
number
arp anti-attack send-
gratuitous-arp [ interval
milliseconds ]
28
Remarks
—
—
Required
Disabled by default.