4-6
Enabling ARP Detection Based on DHCP Snooping Entries/802.1X Security
Entries/Static IP-to-MAC Bindings
With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet
received from the VLAN against the DHCP snooping entries, 802.1X security entries, or static
IP-to-MAC binding entries. You can specify a detection type or types as needed. If all the detection
types are specified, the system uses static IP-to-MAC binding entries first, then DHCP snooping
entries, and then 802.1X security entries.
1) After you enable ARP detection based on DHCP snooping entries for a VLAN,
z Upon receiving an ARP packet from an ARP untrusted port, the device compares the ARP packet
against the DHCP snooping entries. If a match is found, that is, the parameters (such as IP
address, MAC addresses, port index, and VLAN ID) are consistent, the ARP packet passes the
check; if not, the ARP packet cannot pass the check.
z Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP
packet.
z If ARP detection is not enabled for the VLAN, the ARP packet is not checked even if it is received
from an ARP untrusted port.
ARP detection based on DHCP snooping entries involves both dynamic DHCP snooping entries and
static IP Source Guard binding entries. Dynamic DHCP snooping entries are automatically generated
through the DHCP snooping function. For details, refer to DHCP Configuration in the IP Service
Volume. Static IP Source Guard binding entries are created by using the user-bind command. For
details, refer to IP Source Guard Configuration in the Security Volume.
2) After you enable ARP detection based on 802.1X security entries, the device, upon receiving an
ARP packet from an ARP untrusted port, compares the ARP packet against the 802.1X security
entries.
z If an entry with matching source IP and MAC addresses, port index, and VLAN ID is found, the
ARP packet is considered valid.
z If an entry with no matching IP address but with a matching OUI MAC address is found, the ARP
packet is considered valid.
Otherwise, the packet is considered invalid and discarded.
3) After you enable ARP detection based on static IP-to-MAC bindings, the device, upon receiving an
ARP packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of
the ARP packet against the static IP-to-MAC bindings.
z If an entry with a matching IP address but a different MAC address is found, the ARP packet is
considered invalid and discarded.
z If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid
and can pass the detection.
z If no match is found, the ARP packet is considered valid and can pass the detection.
Follow these steps to enable ARP detection for a VLAN and specify a trusted port:
To Next Page
Loading...
