Arp Restricted Forwarding Configuration Example - HPE FlexNetwork 7500 Series Security Configuration Manual

# Enable ARP attack detection for VLAN 10.
[DeviceB] vlan 10
[DeviceB-vlan10] arp detection enable
# Configure the upstream interface as a trusted interface. By default, an interface is an
untrusted interface.
[DeviceB-vlan10] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] arp detection trust
[DeviceB-GigabitEthernet1/0/3] quit
# Configure a static IP source guard binding entry on interface GigabitEthernet 1/0/2 for user
validity check.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address
0001-0203-0607 vlan 10
[DeviceB-GigabitEthernet1/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP
packets.
[DeviceB] arp detection validate dst-mac ip src-mac
After the configurations are completed, Device B first checks the validity of ARP packets
received on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. If the ARP packets are confirmed
valid, Device B performs user validity check by using the static IP source guard bindings and
finally DHCP snooping entries.

ARP restricted forwarding configuration example

Network requirements
As shown in
detection is configured. Port isolation configured on Device B can take effect for broadcast ARP
requests.
Figure 126 Network diagram
Device A
DHCP snooping
Device B
GE1/0/1
Host A
DHCP client
Configuration procedure
1. Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of VLAN-interface
10 on Device A. (Details not shown.)
Figure 126, configure ARP restricted forwarding on Device B where ARP attack
Gateway
DHCP server
GE1/0/3
Vlan-int10
10.1.1.1/24
VLAN 10
GE1/0/3
GE1/0/2
Host B
10.1.1.6
0001-0203-0607
429