Configuring ARP filtering
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP
packet against permitted entries. If a match is found, the packet is handled correctly. If not, the
packet is discarded.
Configuration guidelines
Follow these guidelines when you configure ARP filtering:
•
You can configure a maximum of eight permitted entries on an interface.
•
Do not configure both the arp filter source and arp filter binding commands on an interface.
•
If ARP filtering works with ARP detection, MFF, ARP fast-reply, and ARP snooping, ARP filtering
applies first.
Configuration procedure
To configure ARP filtering:
Step
1.
Enter system view.
2.
Enter Layer 2 Ethernet
interface or Layer 2 aggregate
interface view.
3.
Enable ARP filtering and
configure a permitted entry.
Configuration example
Network requirements
As shown in
respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234, respectively.
Configure ARP filtering on FortyGigE 1/1/1 and FortyGigE 1/1/2 of Switch B to permit ARP packets
from only Host A and Host B.
Command
system-view
interface interface-type
interface-number
arp filter binding ip-address
mac-address
Figure
129, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233,
420
Remarks
N/A
N/A.
By default, ARP filtering is
disabled.