Configuring Arp Filtering; Configuration Guidelines; Configuration Procedure; Configuration Example - HPE FlexFabric 7900 Series Security Configuration Manual

[SwitchB-FortyGigE1/0/2] arp filter source 10.1.1.1
Verifying the configuration
# Verify that FortyGigE 1/0/1 and FortyGigE 1/0/2 discard the incoming ARP packets whose sender
IP address is the IP address of the gateway.

Configuring ARP filtering

IMPORTANT:
This feature is available in Release 2137 and later versions.
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP
packet against permitted entries. If a match is found, the packet is handled correctly. If not, the
packet is discarded.

Configuration guidelines

When you configure ARP filtering, follow these guidelines:
•
You can configure a maximum of eight permitted entries on an interface.
•
Do not configure both the arp filter source and arp filter binding commands on an interface.
•
If ARP filtering works with ARP detection, MFF, and ARP snooping, ARP filtering applies first.

Configuration procedure

To configure ARP filtering:
Step
1. Enter system view.
2. Enter Layer 2 Ethernet
interface or Layer 2 aggregate
interface view.
3. Enable ARP filtering and
configure a permitted entry.

Configuration example

Network requirements
As shown in
respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234, respectively.
Configure ARP filtering on FortyGigE 1/0/1 and FortyGigE 1/0/2 of Switch B to permit ARP packets
from only Host A and Host B.
Command
system-view
interface interface-type
interface-number
arp filter binding ip-address
mac-address
Figure 56, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233,
199
Remarks
N/A
N/A
By default, ARP filtering is
disabled.