1-6
z Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations,
such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP
entries invalid and therefore removed automatically.
z As for the arp static command, the value of the vlan-id argument must be the ID of an existing
VLAN, and the port identified by the interface-type and interface-number arguments must belong to
the VLAN.
z Currently, static ARP entries cannot be configured on the ports of an aggregation group.
Configuring ARP Attack Detection
Follow these steps to configure the ARP attack detection function:
To do… Use the command… Remarks
Enter system view
system-view
—
Create a static binding
ip source static binding
ip-address ip-address
[ mac-address mac-address ]
Enable DHCP snooping
dhcp-snooping
Required
Use at least one of the
commands.
By default, no IP static binding
is created, and the DHCP
snooping function is disabled.
Enter Ethernet port view
interface interface-type
interface-number
—
Specify the current port as a
trusted port
dhcp-snooping trust
Optional
After DHCP snooping is
enabled, you need to configure
the upstream port connected to
the DHCP server as a trusted
port.
Configure the port as an ARP
trusted port
arp detection trust
Optional
By default, a port is an ARP
untrusted port.
Generally, the upstream port of
a switch is configured as a
trusted port.
Quit to system view
quit
—
Enter VLAN view
vlan vlan-id
—
Enable the ARP attack
detection function
arp detection enable
Required
By default, ARP attack
detection is disabled on all
ports.
Enable ARP restricted
forwarding
arp restricted-forwarding
enable
Optional
Disabled by default.
The device forwards legal ARP
packets through all its ports.
To Next Page
Loading...
