SSL security mechanism ······································································································································ 138

SSL protocol stack ··············································································································································· 138

SSL configuration task list ············································································································································ 139

Configuring an SSL server policy ······························································································································· 139

Configuring an SSL client policy ································································································································ 140

Displaying and maintaining SSL ································································································································· 141

Configuring IP source guard ·································································································································· 142

Overview ······································································································································································· 142

Static IP source guard binding entries ··············································································································· 142

Dynamic IP source guard binding entries ········································································································· 143

IP source guard configuration task list ······················································································································· 143

Configuring the IPv4 source guard function ·············································································································· 144

Enabling IPv4 source guard on an interface ···································································································· 144

Configuring a static IPv4 source guard binding entry····················································································· 145

Configuring the IPv6 source guard function ·············································································································· 145

Enabling IPv6 source guard on an interface ···································································································· 146

Configuring a static IPv6 source guard binding entry····················································································· 146

Displaying and maintaining IP source guard ············································································································ 147

IP source guard configuration examples ··················································································································· 147

Static IPv4 source guard configuration example ····························································································· 147

Dynamic IPv4 source guard using DHCP snooping configuration example ················································· 149

Dynamic IPv4 source guard using DHCP relay configuration example ························································ 150

Static IPv6 source guard configuration example ····························································································· 151

Configuring ARP attack protection ························································································································· 153

ARP attack protection configuration task list ············································································································· 153

Configuring unresolvable IP attack protection ·········································································································· 153

Configuring ARP source suppression ················································································································ 154

Enabling ARP blackhole routing ························································································································ 154

Displaying and maintaining unresolvable IP attack protection ······································································ 154

Configuration example ······································································································································· 154

Configuring ARP packet rate limit ······························································································································ 155

Configuration guidelines ···································································································································· 156

Configuration procedure ···································································································································· 156

Configuring source MAC-based ARP attack detection ···························································································· 157

Displaying and maintaining source MAC-based ARP attack detection ························································· 157

Configuring ARP packet source MAC consistency check ························································································ 159

Configuring ARP active acknowledgement ··············································································································· 159

Configuring ARP detection ·········································································································································· 159

Configuring user validity check ························································································································· 160

Configuring ARP packet validity check ············································································································· 160

Configuring ARP restricted forwarding ············································································································· 161

Displaying and maintaining ARP detection ······································································································ 161

User validity check and ARP packet validity check configuration example ·················································· 162

Configuring ARP automatic scanning and fixed ARP ······························································································· 163

Configuring ARP gateway protection ························································································································ 164

Configuring ARP filtering ············································································································································· 165