Configuration Example; Configuring Arp Filtering; Configuration Guidelines - H3C S5830V2 Security Configuration Manual
Hide thumbs
Also See for S5830V2:
- Configuration manual (318 pages) ,
- Command reference manual (301 pages) ,
- Installation manual (63 pages)
Table of Contents
Advertisement
Configuration example
Network requirements
As shown in
Switch B intends to send to Switch A is sent to Host B.
Configure Switch B to block such attacks.
Figure 71 Network diagram
Configuration procedure
# Configure ARP gateway protection on Switch B.
<SwitchB> system-view
[SwitchB] interface ten-gigabitethernet 1/0/1
[SwitchB-Ten-GigabitEthernet1/0/1] arp filter source 10.1.1.1
[SwitchB-Ten-GigabitEthernet1/0/1] quit
[SwitchB] interface ten-gigabitethernet 1/0/2
[SwitchB-Ten-GigabitEthernet1/0/2] arp filter source 10.1.1.1
After the configuration is complete, Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 discard
the incoming ARP packets whose sender IP address is the IP address of the gateway.
Configuring ARP filtering
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet
against permitted entries. If a match is found, the packet is handled normally. If not, the packet is
discarded.
Configuration guidelines
Follow these guidelines when you configure ARP filtering:
•
You can configure a maximum of eight permitted entries on an interface.
Figure
71, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that
224
Advertisement
Table of Contents
Troubleshooting
