Configuring Arp Filtering; Configuration Guidelines; Configuration Procedure; Configuration Example - HPE FlexNetwork 7500 Series Security Configuration Manual

[DeviceB-GigabitEthernet1/0/1] arp filter source 10.1.1.1
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] arp filter source 10.1.1.1
Verifying the configuration
# Verify that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 discard the incoming ARP packets
whose sender IP address is the IP address of the gateway.

Configuring ARP filtering

The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP
packet against permitted entries. If a match is found, the packet is handled correctly. If not, the
packet is discarded.

Configuration guidelines

Follow these guidelines when you configure ARP filtering:
•
You can configure a maximum of eight permitted entries on an interface.
•
Do not configure both the arp filter source and arp filter binding commands on an interface.
•
If ARP filtering works with ARP attack detection, MFF, ARP snooping, and ARP fast-reply, ARP
filtering applies first.

Configuration procedure

To configure ARP filtering:
Step
1. Enter system view.
2. Enter Layer 2 Ethernet
interface or Layer 2 aggregate
interface view.
3. Enable ARP filtering and
configure a permitted entry.

Configuration example

Network requirements
As shown in
respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234, respectively.
Configure ARP filtering on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Device B to permit
ARP packets from only Host A and Host B.
Command
system-view
interface interface-type
interface-number
arp filter binding ip-address
mac-address
Figure 128, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233,
433
Remarks
N/A
N/A
By default, ARP filtering is
disabled.