Configuring Arp Detection Based On Specified Objects - HP 3600 v2 Series Security Configuration Manual
Hide thumbs
Also See for 3600 v2 Series:
- Command reference manual (510 pages) ,
- Configuration manual (449 pages) ,
- Installation manual (62 pages)
Table of Contents
Advertisement
NOTE:
Static IP source guard binding entries are created by using the ip source binding command. For more
•
information, see the chapter "IP source guard configuration."
•
Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function. For
more information, see Layer 3—IP Services Configuration Guide.
802.1X security entries are generated in this case. After a client passes 802.1X authentication and
•
uploads its IP address to an ARP detection enabled device, the device automatically generates an
802.1X security entry. Therefore, the 802.1X client must be able to upload its IP address to the device. For
more information, see the chapter "802.1X configuration."
For more information about voice VLANs and OUI MAC addresses, see Layer 2—LAN Switching
•
Configuration Guide.
Follow these steps to enable ARP detection for a VLAN and specify a trusted port:
To do...
Enter system view
Enter VLAN view
Enable ARP detection for the
VLAN
Return to system view
Enter Layer 2 Ethernet
interface/Layer 2 aggregate
interface view
Configure the port as a
trusted port on which ARP
detection does not apply
NOTE:
When configuring this feature, you need to configure ARP detection based on at least static IP source
guard binding entries, DHCP snooping entries, or 802.1X security entries. Otherwise, all ARP packets
received from an ARP untrusted port will be discarded, except the ARP packets with an OUI MAC address
as the sender MAC address when voice VLAN is enabled.
Configuring ARP detection based on specified objects
With this feature configured, the device permits the ARP packets received from an ARP trusted port, and
checks the ARP packets received from an ARP untrusted port. You can specify objects in the ARP packets
to be checked. The objects involve:
src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC
•
address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the packet
is discarded.
dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero,
•
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
Use the command...
system-view
vlan vlan-id
arp detection enable
quit
interface interface-type
interface-number
arp detection trust
339
Remarks
—
—
Required
ARP detection based on static IP source
guard binding entries/DHCP snooping
entries/802.1X security entries/OUI MAC
addresses is disabled by default.
—
—
Optional
The port is an untrusted port by default.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
