Configuring Arp Sender Ip Address Checking - HPE FlexNetwork 7500 Series Security Configuration Manual

Figure 128 Network diagram
Device A
Device B
GE1/0/1
Host A
Configuration procedure
# Configure ARP filtering on Device B.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234
Verifying the configuration
# Verify that GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP
packets.
# Verify that GigabitEthernet 1/0/2 permits ARP packets from Host B and discards other ARP
packets.

Configuring ARP sender IP address checking

This feature allows a gateway to check the sender IP address of an ARP packet in a VLAN before
ARP learning. If the sender IP address is within the allowed IP address range, the gateway continues
ARP learning. If the sender IP address is out of the range, the gateway determines the ARP packet
as an attack packet and discards it.
When you configure the ARP sender IP address checking feature in a VLAN, follow these restrictions
and guidelines:
•
If the VLAN is a sub-VLAN and is associated with a super VLAN, configure this checking feature
only in the sub-VLAN.
•
If Layer 3 communication is configured between the secondary VLANs associated with a
primary VLAN, configure this feature in the primary VLAN. If Layer 3 communication is not
configured between the secondary VLANs associated with a primary VLAN, configure this
feature in the intended VLAN.
To configure the ARP sender IP address checking feature:
Step
1. Enter system view.
GE1/0/3
GE1/0/2
Host B
Command
system-view
434
Remarks
N/A