Configuring Arp Packet Source Mac Consistency Check; Configuring Arp Active Acknowledgement - HP FlexNetwork 10500 Series Security Configuration Manual

[Device] arp source-mac filter
# Set the threshold to 30.
[Device] arp source-mac threshold 30
# Set the lifetime for ARP attack entries to 60 seconds.
[Device] arp source-mac aging-time 60
# Exclude MAC address 0012-3f86-e94c from this detection.
[Device] arp source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC consistency
check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet
header is different from the sender MAC address in the message body. This feature allows the
gateway to learn correct ARP entries.
To enable ARP packet source MAC address consistency check:
Step
1. Enter system view.
2. Enable ARP packet source MAC
address consistency check.

Configuring ARP active acknowledgement

Configure this feature on gateways to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
In strict mode, a gateway performs more strict validity checks before creating an ARP entry:
•
Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but
does not create an ARP entry.
•
Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP
address:
If yes, the gateway performs active acknowledgement. When the ARP reply is verified as
valid, the gateway creates an ARP entry.
If no, the gateway discards the packet.
To configure ARP active acknowledgement:
Step
1. Enter system view.
2. Enable the ARP active
acknowledgement feature.
Command
system-view
arp valid-check enable
Command
system-view
arp active-ack
[ strict ] enable
434
Remarks
N/A
By default, ARP packet source
MAC address consistency
check is disabled.
Remarks
N/A
By default, this feature is disabled.