3-7
To do… Use the command… Remarks
Enter system view
system-view
—
Enter VLAN view
vlan vlan-id
—
Enable ARP detection for the
VLAN
arp detection enable
Required
Disabled by default. That is, ARP
detection based on DHCP snooping
entries/802.1X security entries/static
IP-to-MAC bindings is not enabled by
default.
Return to system view
quit
—
Enter Ethernet interface view
interface interface-type
interface-number
—
Configure the port as a
trusted port
arp detection trust
Optional
The port is an untrusted port by default.
Return to system view
quit
—
Specify an ARP attack
detection mode
arp detection mode
{ dhcp-snooping |
dot1x | static-bind }
Required
No ARP attack detection mode is
specified by default; that is, all packets
are considered to be invalid by default.
Configure a static IP-to-MAC
binding for ARP detection
arp detection
static-bind ip-address
mac-address
Optional
Not configured by default.
If the ARP attack detection mode is
static-bind, you need to configure static
IP-to-MAC bindings for ARP detection.
z If all the detection types are specified, the system uses IP-to-MAC bindings first, then DHCP
snooping entries, and then 802.1X security entries. If an ARP packet fails to pass ARP detection
based on static IP-to-MAC bindings, it is discarded. If the packet passes this detection, it will be
checked against DHCP snooping entries. If a match is found, the packet is considered to be valid
and will not be checked against 802.1X security entries; otherwise, the packet is checked against
802.1X security entries. If a match is found, the packet is considered to be valid; otherwise, the
packet is discarded.
z Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP snooping
is enabled.
z Before enabling ARP detection based on 802.1X security entries, make sure that 802.1X is
enabled and the 802.1X clients are configured to upload IP addresses.
To Next Page
Loading...
Need help?
General