Configuring Arp Gateway Protection; Introduction; Configuration Procedure - HP 3600 v2 Series Security Configuration Manual

To do...
Return to system view
Enable fixed ARP
NOTE:
• IP addresses existing in ARP entries are not scanned.
ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP
•
entries are created based on ARP replies received before the scan is terminated.
The static ARP entries changed from dynamic ARP entries have the same attributes as the manually
•
configured static ARP entries.
Use the arp fixup command to change the existing dynamic ARP entries into static ARP entries. You can
•
use this command again to change the dynamic ARP entries learned later into static ARP entries.
The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static
•
ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries
into static ARP entries.
• To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address
[ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp
static command.

Configuring ARP gateway protection

Introduction

The ARP gateway protection feature, if configured on ports not connected with the gateway, can block
gateway spoofing attacks.
When such a port receives an ARP packet, it checks whether the sender IP address in the packet is
consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet
normally.

Configuration procedure

Follow these steps to configure ARP gateway protection:
To do...
Enter system view
Enter Layer 2 Ethernet interface
view/Layer 2 aggregate interface
view
Enable ARP gateway protection for a
specified gateway
Use the command...
quit
arp fixup
Use the command...
system-view
interface interface-type
interface-number
arp filter source ip-address
346
Remarks
—
Required
Remarks
—
—
Required
Disabled by default.