Configuring Gratuitous Arp - H3C S5100-SI Series Operation Manual

Operation Manual – ARP
H3C S5100-SI/EI Series Ethernet Switches
Configure the port as
an ARP trusted port
Quit to system view
Enter VLAN view
Enable the ARP attack
detection function
Enable ARP restricted
forwarding
Note:
When most clients acquire IP addresses through DHCP and some clients use static
IP addresses, you need to enable DHCP snooping and configure static IP binding
entries on the switch. These functions can cooperate with ARP attack detection to
check the validity of packets. For more information about DHCP snooping, refer to
DHCP Operation in this manual.
Generally, the uplink port of a switch is configured as a trusted port.
Before enabling ARP restricted forwarding, make sure you have enabled ARP
attack detection and configured ARP trusted ports.
You are not recommended to configure ARP attack detection on the ports of an
aggregation group.
Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an
S5100-SI/EI series Ethernet switch is the same as the default VLAN ID of the port. If
the VLAN tag of an ARP packet is different from the default VLAN ID of the receiving
port, the ARP packet cannot pass the ARP attack detection based on the IP-to-MAC
bindings.

1.3 Configuring Gratuitous ARP

Follow these steps to configure gratuitous ARP:
To do... Use the command...
arp detection trust
quit
vlan vlan-id
arp detection enable
arp
restricted-forwarding
enable
Optional
By default, a port is an ARP
untrusted port.
Generally, the upstream port
of a switch is configured as a
trusted port.
—
—
Required
By default, ARP attack
detection is disabled on all
ports.
Optional
Disabled by default.
The device forwards legal
ARP packets through all its
ports.
1-8
Chapter 1 ARP Configuration
Remarks