3Com S7906E Configuration Manual page 2057

S7900e family release 6600 series

Hide thumbs Also See for S7906E:

Command reference manual (2327 pages)

Getting started manual (155 pages)

Datasheet (8 pages)

Table of Contents

Enable ARP detection for the

Return to system view

Specify objects for ARP

Enter Ethernet interface view

Configure the port as a trusted

port on which ARP detection

does not apply

Enabling ARP Detection Based on Static IP Source Guard Binding Entries/DHCP

Snooping Entries/802.1X Security Entries/OUI MAC Addresses

With this feature enabled, the device compares the sender IP and MAC addresses of an ARP packet

received from the VLAN against the static IP Source Guard binding entries, DHCP snooping entries,

802.1X security entries, or OUI MAC addresses to prevent spoofing.

After you enable this feature for a VLAN,

Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP

and MAC addresses of the ARP packet against the static IP Source Guard binding entries. If a

match is found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP

address but an unmatched MAC address is found, the ARP packet is considered invalid and is

discarded. If no entry with a matching IP address is found, the device compares the ARP packet's

sender IP and MAC addresses against the DHCP snooping entries, 802.1X security entries, and

OUI MAC addresses.

If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. ARP

detection based on OUI MAC addresses refers to that if the sender MAC address of the received

ARP packet is an OUI MAC address and voice VLAN is enabled, the packet is considered valid.

If no match is found, the ARP packet is considered invalid and is discarded.

Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP

Static IP Source Guard binding entries are created by using the user-bind command. For details,

refer to IP Source Guard Configuration in the Security Volume.

Dynamic DHCP snooping entries are automatically generated through the DHCP snooping

function. For details, refer to DHCP Configuration in the IP Service Volume.

802.1X security entries are generated by the 802.1X function. For details, refer to 802.1X

Configuration in the Security Volume.

Follow these steps to enable ARP detection for a VLAN and specify a trusted port:

Use the command...

arp detection enable

arp detection validate

{ dst-mac | ip | src-mac } *

interface interface-type

interface-number

arp detection trust

Disabled by default.

Not specified by default.

The port is an untrusted port by

Show Quick Links

Quick Links:
Configuration Guide

Chapters

Table of Contents

Troubleshooting

S7910e S7906e-v S7903e S7903e-s S7902e

3Com S7906E Configuration Manual page 2057

Hide quick links:

Chapters

Troubleshooting

Related Manuals for 3Com S7906E

Related Products for 3Com S7906E

This manual is also suitable for:

Table of Contents