Configuring Arp Detection Based On Specified Objects - HP 5120 SI Series Security Configuration Manual
Hide thumbs
Also See for 5120 SI Series:
- Command reference manual (395 pages) ,
- Installation manual (48 pages) ,
- Specification (33 pages)
Table of Contents
Advertisement
NOTE:
Static IP Source Guard binding entries are created by using the user-bind command. For more
•
information, see the chapter "IP source guard configuration."
Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function. For
•
more information, see the
•
802.1X security entries are generated by the 802.1X function. For more information, see the chapter
"802.1X configuration."
For more information about voice VLANs and QUI MAC addresses, see the
•
Configuration Guide
Follow these steps to enable ARP detection for a VLAN and specify a trusted port:
To do...
Enter system view
Enter VLAN view
Enable ARP detection for the
VLAN
Return to system view
Enter Layer 2 Ethernet port
view/Layer 2 aggregate
interface view
Configure the port as a
trusted port on which ARP
detection does not apply
NOTE:
When configuring this feature, you need to configure ARP detection based on at least static IP Source
•
Guard binding entries, DHCP snooping entries, or 802.1X security entries. Otherwise, all ARP packets
received from an ARP untrusted port will be discarded, except the ARP packets with an OUI MAC
address as the sender MAC address when voice VLAN is enabled.
•
When configuring an IP Source Guard binding entry, you need to specify the VLAN; otherwise, no ARP
packet will pass the ARP detection based on static IP Source Guard binding entries.
Configuring ARP detection based on specified objects
With this feature configured, the switch permits the ARP packets received from an ARP trusted port to pass
directly, and checks the ARP packets received from an ARP untrusted port. You can specify objects in the
ARP packets to be detected. The objects involve:
•
src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC
address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the packet
is discarded.
dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero,
•
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
Layer 3—IP Services Configuration Guide
.
Use the command...
system-view
vlan vlan-id
arp detection enable
quit
interface interface-type
interface-number
arp detection trust
309
.
Layer 2—LAN Switching
Remarks
—
—
Required
ARP detection based on static IP Source
Guard binding entries/DHCP snooping
entries/802.1X security entries/OUI MAC
addresses is not enabled by default.
—
—
Optional
The port is an untrusted port by default.
Advertisement
Table of Contents
Troubleshooting
