Configuration Procedure; Configuring Arp Detection; Introduction; Security Entries/Oui Mac Addresses - HP 3600 v2 Series Security Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (449 pages) ,
- Installation manual (62 pages)
Table of Contents
Advertisement
Configuration procedure
Follow these steps to configure ARP active acknowledgement:
To do...
Enter system view
Enable the ARP active
acknowledgement function
Configuring ARP detection
Introduction
The ARP detection feature is mainly configured on an access device to allow only the ARP packets of
authorized clients to be forwarded and prevent user spoofing and gateway spoofing.
ARP detection includes ARP detection based on static IP source guard binding entries/DHCP snooping
entries/802.1X security entries/OUI MAC addresses, ARP detection based on specified objects, and
ARP restricted forwarding.
NOTE:
If both the ARP detection based on specified objects and the ARP detection based on static IP source guard
binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses are enabled, the
former one applies first, and then the latter applies.
Enabling ARP detection based on static IP source guard
binding entries/DHCP snooping entries/802.1x security
entries/OUI MAC addresses
With this feature enabled, the device compares the sender IP and MAC addresses of an ARP packet
received from the VLAN against the static IP source guard binding entries, DHCP snooping entries,
802.1X security entries, or OUI MAC addresses to prevent spoofing.
After you enable this feature for a VLAN,
Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and
1.
MAC addresses of the ARP packet against the static IP source guard binding entries. If a match is
found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP address
but an unmatched MAC address is found, the ARP packet is considered invalid and is discarded.
If no entry with a matching IP address is found, the device compares the ARP packet's sender IP
and MAC addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC
addresses.
If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. ARP
2.
detection based on OUI MAC addresses refers to that if the sender MAC address of the received
ARP packet is an OUI MAC address and voice VLAN is enabled, the packet is considered valid.
If no match is found, the ARP packet is considered invalid and is discarded.
3.
Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP packet.
4.
Use the command...
system-view
arp anti-attack active-ack enable
338
Remarks
—
Required
Disabled by default.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
