H3C S5120-EI Series Operation Manual page 734
Ethernet switches
Hide thumbs
Also See for S5120-EI Series:
- Operation manual (1166 pages) ,
- Command reference manual (242 pages) ,
- Configuration manual (206 pages)
Table of Contents
Advertisement
3)
After you enable ARP detection based on static IP-to-MAC bindings, the device, upon receiving an
ARP packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of
the ARP packet against the static IP-to-MAC bindings.
If an entry with a matching IP address but a different MAC address is found, the ARP packet is
considered invalid and discarded.
If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid
and can pass the detection.
If no match is found, the ARP packet is considered valid and can pass the detection.
If all the detection types are specified, the system uses static IP-to-MAC binding entries first, then
DHCP snooping entries, and then 802.1X security entries. To prevent gateway spoofing, ARP detection
based on IP-to-MAC binding entries is required. After passing this type of ARP detection, users that can
pass ARP detection based on DHCP snooping entries or 802.1X security entries are considered to be
valid. The last two detection types are used to prevent user spoofing. You can select detection types
according to the networking environment.
If all access clients acquire IP addresses through DHCP, it is recommended that you enable DHCP
snooping and ARP detection based on DHCP snooping entries on your access device.
If access clients are small in number and use static IP addresses, it is recommended that you
configure static IP Source Guard binding entries and enable ARP detection based on DHCP
snooping entries on your access device.
If access clients are large in number and most of them use static IP addresses, you need to
configure static IP Source Guard entries one by one. This is tedious work and may cause errors. If
access clients are 802.1X clients, it is recommended that you enable 802.1X authentication,
upload of client IP addresses, and ARP detection based on 802.1X security entries on your access
device. After that, the access device uses mappings between IP addresses, MAC addresses,
VLAN IDs, and ports of 802.1X authentication clients for ARP detection.
Follow these steps to enable ARP detection for a VLAN and specify a trusted port:
To do...
Enter system view
Enter VLAN view
Enable ARP detection for
the VLAN
Return to system view
Enter Ethernet interface
view
Configure the port as a
trusted port
Return to system view
Specify an ARP attack
detection mode
Use the command...
system-view
vlan vlan-id
arp detection enable
quit
interface interface-type
interface-number
arp detection trust
quit
arp detection mode
{ dhcp-snooping | dot1x |
static-bind }
1-7
Remarks
—
—
Required
Disabled by default. That is, ARP
detection based on DHCP snooping
entries/802.1X security entries/static
IP-to-MAC bindings is not enabled by
default.
—
—
Optional
The port is an untrusted port by
default.
—
Required
No ARP attack detection mode is
specified by default; that is, all packets
are considered to be invalid by default.
Advertisement
Chapters
Table of Contents
Troubleshooting
