Configuration Example; Configuring Arp Filtering; Configuration Guidelines - HPE FlexNetwork 5510 HI Series Security Configuration Manual

Configuration example

Network requirements
As shown in
that Switch B intends to send to Switch A is sent to Host B.
Configure Switch B to block such attacks.
Figure 128 Network diagram
Switch A
Switch B
GE1/0/1
Host A
Configuration procedure
# Configure ARP gateway protection on Switch B.
<SwitchB> system-view
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] arp filter source 10.1.1.1
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] arp filter source 10.1.1.1
Verifying the configuration
# Verify that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 discard the incoming ARP packets
whose sender IP address is the IP address of the gateway.

Configuring ARP filtering

The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP
packet against permitted entries. If a match is found, the packet is handled correctly. If not, the
packet is discarded.

Configuration guidelines

Follow these guidelines when you configure ARP filtering:
•
You can configure a maximum of eight permitted entries on an interface.
•
Do not configure both the arp filter source and arp filter binding commands on an interface.
Figure 128, Host B launches gateway spoofing attacks to Switch B. As a result, traffic
Gateway
10.1.1.1/24
GE1/0/3
GE1/0/2
Host B
428