Release R.11.12 Enhancements
Supports additional checks to verify source MAC address, destination MAC address, and IP
ARP packets that contain invalid IP addresses or MAC addresses in their body that do not match
the addresses in the Ethernet header are dropped.
When dynamic ARP protection is enabled, only ARP request and reply packets with valid IP-to-MAC
address bindings in their packet header are relayed and used to update the ARP cache.
Dynamic ARP protection is implemented in the following ways on a switch:
You can configure dynamic ARP protection only from the CLI; you cannot configure this feature
from the web or menu interfaces.
Line rate—Dynamic ARP protection copies ARP packets to the switch CPU, evaluates the
packets, and then re-forwards them through the switch software. During this process, if ARP
packets are received at too high a line rate, some ARP packets may be dropped and will need to
The SNMP MIB, HP-ICF-ARP-PROTECT-MIB, is created to configure dynamic ARP protection
and to report ARP packet-forwarding status and counters.
Enabling Dynamic ARP Protection
To enable dynamic ARP protection for VLAN traffic on a routing switch, enter the arp protect vlan
command at the global configuration level.
Syntax: [no] arp protect vlan [vlan-range]
An example of the arp protect vlan command is shown here:
ProCurve(config)# arp protect vlan 1-101
Configuring Trusted Ports
In a similar way to DHCP snooping, dynamic ARP protection allows you to configure VLAN interfaces
in two categories: trusted and untrusted ports. ARP packets received on trusted ports are forwarded
By default, all ports on a switch are untrusted. If a VLAN interface is untrusted:
The switch intercepts all ARP requests and responses on the port.
Each intercepted packet is checked to see if its IP-to-MAC binding is valid. If a binding is invalid,
the switch drops the packet.
Specifies a VLAN ID or a range of VLAN IDs from
one to 4094; for example, 1–200.