Security Entries - HP A5830 Series Configuration Manual

If both the ARP detection based on specified objects and the ARP detection based on static IP source
guard binding entries/DHCP snooping entries/802.1X security entries are enabled, the former one
applies first, and then the latter applies.
Enabling ARP detection based on static IP source guard binding
entries/DHCP snooping entries/802.1x security entries
With this feature enabled, the device compares the sender IP and MAC addresses of an ARP packet
received from the VLAN against the static IP source guard binding entries, DHCP snooping entries, or
802.1X security entries to prevent spoofing.
When you configure this feature, you must configure ARP detection based on at least static IP source
guard binding entries, DHCP snooping entries, or 802.1X security entries. Otherwise, all ARP packets
received from an ARP untrusted port are discarded.
When you configure an IP source guard binding entry, you must specify the VLAN. Otherwise, no ARP
packet passes the ARP detection based on static IP source guard binding entries.
After you enable this feature for a VLAN, the following occurs:
Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP and
1.
MAC addresses of the ARP packet against the static IP source guard binding entries.
If a match is found, the ARP packet is considered valid and is forwarded.
a.
If an entry with a matching IP address but an unmatched MAC address is found, the ARP packet
b.
is considered invalid and is discarded.
If no entry with a matching IP address is found, the device compares the ARP packet's sender IP
2.
and MAC addresses against the DHCP snooping entries and 802.1X security entries.
If a match is found in any of the entries, the ARP packet is considered valid and is forwarded.
a.
If no match is found, the ARP packet is considered invalid and is discarded.
b.
Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP packet.
3.
Static IP source guard binding entries are created by using the ip source binding command. For more
information, see
Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function. For
more information, see Layer 3—IP Services Configuration Guide.
802.1X security entries are generated in this case. After a client passes 802.1X authentication and
uploads its IP address to an ARP detection enabled device, the device automatically generates an
802.1X security entry. Therefore, the 802.1X client must be able to upload its IP address to the device.
For more information, see
To enable ARP detection for a VLAN and specify a trusted port:
To do...
1. Enter system view.
2. Enter VLAN view.
3. Enable ARP detection for
the VLAN.
"Configuring IP source
"Configuring
Use the command...
system-view
vlan vlan-id
arp detection enable
guard."
802.1X."
Remarks
—
—
Required.
ARP detection based on static IP source
guard binding entries/DHCP snooping
entries/802.1X security entries is disabled
by default.
230