After the above configuration is complete, Switch B will discard the ARP packets whose source IP
address is that of the gateway.
Configuring ARP Filtering
Introduction
To prevent gateway spoofing and user spoofing, the ARP filtering feature controls the forwarding of
ARP packets on a port as follows:
The port checks the sender IP and MAC addresses in a received ARP packet against configured ARP
filtering entries. If a match is found, the packet is handled normally. If not, the packet is discarded.
Configuration Procedure
Follow these steps to configure ARP filtering:
To do...
Enter system view
Enter Layer 2 Ethernet interface
view
Configure an ARP filtering entry
You can configure up to eight ARP filtering entries on a port.
Commands arp filter source and arp filter binding cannot be both configured on a port.
If ARP filtering works with ARP detection, MFF, and ARP snooping, ARP filtering applies first.
ARP Filtering Configuration Example
Network requirements
As shown in
Figure
respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234 respectively.
Configure ARP filtering on GigabitEthernet1/0/1 and GigabitEthernet1/0/2 of Switch B to permit specific
ARP packets only.
Use the command...
system-view
interface interface-type
interface-number
arp filter binding ip-address
mac-address
1-4, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233
1-14
Remarks
—
—
Required
Not configured by default.