3-7
To do… Use the command… Remarks
Enter system view
system-view
—
Enter VLAN view
vlan vlan-id
—
Enable ARP detection for the
VLAN
arp detection enable
Required
Disabled by default. That is, ARP
detection based on DHCP snooping
entries/802.1X security entries/static
IP-to-MAC bindings is not enabled by
default.
Return to system view
quit
—
Enter Ethernet interface view
interface interface-type
interface-number
—
Configure the port as a
trusted port
arp detection trust
Optional
The port is an untrusted port by default.
Return to system view
quit
—
Specify an ARP attack
detection mode
arp detection mode
{ dhcp-snooping |
dot1x | static-bind }
Required
No ARP attack detection mode is
specified by default; that is, all packets
are considered to be invalid by default.
Configure a static IP-to-MAC
binding for ARP detection
arp detection
static-bind ip-address
mac-address
Optional
Not configured by default.
If the ARP attack detection mode is
static-bind, you need to configure static
IP-to-MAC bindings for ARP detection.
z If all the detection types are specified, the system uses IP-to-MAC bindings first, then DHCP
snooping entries, and then 802.1X security entries. If an ARP packet fails to pass ARP detection
based on static IP-to-MAC bindings, it is discarded. If the packet passes this detection, it will be
checked against DHCP snooping entries. If a match is found, the packet is considered to be valid
and will not be checked against 802.1X security entries; otherwise, the packet is checked against
802.1X security entries. If a match is found, the packet is considered to be valid; otherwise, the
packet is discarded.
z Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP snooping
is enabled.
z Before enabling ARP detection based on 802.1X security entries, make sure that 802.1X is
enabled and the 802.1X clients are configured to upload IP addresses.
To Next Page
Loading...
