Table of Contents
Advertisement
Otherwise, the packet is considered invalid and discarded.
3)
After you enable ARP detection based on static IP-to-MAC bindings, the device, upon receiving an
ARP packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of
the ARP packet against the static IP-to-MAC bindings.
If an entry with a matching IP address but a different MAC address is found, the ARP packet is
considered invalid and discarded.
If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid
and can pass the detection.
If no match is found, the ARP packet is considered valid and can pass the detection.
Follow these steps to enable ARP detection for a VLAN and specify a trusted port:
To do...
Enter system view
Enter VLAN view
Enable ARP detection for
the VLAN
Return to system view
Enter Ethernet interface
view
Configure the port as a
trusted port
Return to system view
Specify an ARP attack
detection mode
Configure a static
IP-to-MAC binding for ARP
detection
Use the command...
system-view
vlan vlan-id
arp detection enable
quit
interface interface-type
interface-number
arp detection trust
quit
arp detection mode
{ dhcp-snooping | dot1x |
static-bind } *
arp detection static-bind
ip-address mac-address
1-7
Remarks
—
—
Required
Disabled by default. That is, the ARP
packets received on all the ports in the
VLAN will not be checked.
—
—
Optional
The port is an untrusted port by
default.
—
Required
No ARP attack detection mode is
specified by default; that is, an ARP
packet is considered as an attack and
discarded.
Optional
Not configured by default.
If the ARP attack detection mode is
static-bind, you need to configure
static IP-to-MAC bindings for ARP
detection.
Advertisement
Chapters
Table of Contents
Troubleshooting
