Table of Contents
Advertisement
Step
1.
Enter system view.
2.
Enable ARP packet source MAC
address consistency check.
Configuring ARP active acknowledgement
Configure this feature on gateways to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
In strict mode, a gateway performs more strict validity checks before creating an ARP entry:
•
Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but
does not create an ARP entry.
•
Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP
address:
If yes, the gateway performs active acknowledgement. When the ARP reply is verified as
valid, the gateway creates an ARP entry.
If no, the gateway discards the packet.
To configure ARP active acknowledgement:
Step
1.
Enter system view.
2.
Enable the ARP active
acknowledgement feature.
Configuring authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP
server or dynamic client entries on the DHCP relay agent. For more information about DHCP server
and DHCP relay agent, see Layer 3—IP Services Configuration Guide.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries. This
feature prevents user spoofing and allows only authorized clients to access network resources.
Configuration procedure
To enable authorized ARP:
Step
1.
Enter system view.
2.
Enter interface view.
Command
system-view
arp valid-check enable
Command
system-view
arp active-ack
[ strict ] enable
Command
system-view
interface interface-type
interface-number
408
Remarks
N/A
By default, ARP packet source
MAC address consistency
check is disabled.
Remarks
N/A
By default, this feature is disabled.
Remarks
N/A
The device supports the following
interface types:
•
Layer 3 Ethernet interface.
•
Layer 3 Ethernet subinterface.
•
Layer 3 aggregate interface.
•
Layer 3 aggregate
Advertisement
Table of Contents
Troubleshooting
