Enter system view
Enable the ARP active
Configuring ARP Detection
For information about DHCP snooping, refer to DHCP Configuration in the IP Services Volume.
For information about 802.1X, refer to 802.1X Configuration in the Security Volume.
Introduction to ARP Detection
The ARP detection feature allows only the ARP packets of legal clients to be forwarded.
Enabling ARP Detection Based on DHCP Snooping Entries/802.1x Security
Entries/Static IP-to-MAC Bindings
With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet
received from a VLAN against the DHCP snooping entries, 802.1X security entries, or static IP-to-MAC
binding entries. You can specify a detection type or types as needed.
After you enable ARP detection based on DHCP snooping entries for a VLAN,
Upon receiving an ARP packet from an ARP untrusted port, the device compares the ARP packet
against the DHCP snooping entries. If a match is found, that is, the parameters (such as IP address,
MAC addresses, port index, and VLAN ID) are consistent, the ARP packet passes the check; if not,
the ARP packet cannot pass the check.
Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP
If ARP detection is not enabled for the VLAN, the ARP packet is not checked even if it is received
from an ARP untrusted port.
ARP detection based on DHCP snooping entries involves both dynamic DHCP snooping entries and
static IP Source Guard binding entries. Dynamic DHCP snooping entries are automatically generated
through the DHCP snooping function. For details, refer to DHCP Configuration in the IP Service Volume.
Static IP Source Guard binding entries are created by using the user-bind command. For details, refer
to IP Source Guard Configuration in the Security Volume.
Use the command...
arp anti-attack active-ack enable
Disabled by default.