339
NOTE:
• Static IP source guard binding entries are created by using the ip source binding command. For more
information, see the chapter “IP source guard configuration.”
• Dynamic DHCP snoopin
entries are automatically
enerated throu
h the DHCP snoopin
function. For
more information, see Layer 3—IP Services Configuration Guide.
• 802.1X security entries are generated in this case. After a client passes 802.1X authentication and
uploads its IP address to an ARP detection enabled device, the device automatically generates an
802.1X security entry. Therefore, the 802.1X client must be able to upload its IP address to the device. For
more information, see the chapter “802.1X configuration.”
• For more information about voice VLANs and OUI MAC addresses, see Layer 2—LAN Switching
Configuration Guide.
Follow these steps to enable ARP detection for a VLAN and specify a trusted port:
To do… Use the command…
Remarks
Enter system view system-view —
Enter VLAN view vlan vlan-id —
Enable ARP detection for the
VLAN
arp detection enable
Required
ARP detection based on static IP source
guard binding entries/DHCP snooping
entries/802.1X security entries/OUI MAC
addresses is disabled by default.
Return to system view quit —
Enter Layer 2 Ethernet
interface/Layer 2 aggregate
interface view
interface interface-type
interface-number
—
Configure the port as a
trusted port on which ARP
detection does not apply
arp detection trust
Optional
The port is an untrusted port by default.
NOTE:
hen confi
urin
this feature, you need to confi
ure ARP detection based on at least static IP source
guard binding entries, DHCP snooping entries, or 802.1X security entries. Otherwise, all ARP packets
received from an ARP untrusted port will be discarded, except the ARP packets with an OUI MAC address
as the sender MAC address when voice VLAN is enabled.
Configuring ARP detection based on specified objects
With this feature configured, the device permits the ARP packets received from an ARP trusted port, and
checks the ARP packets received from an ARP untrusted port. You can specify objects in the ARP packets
to be checked. The objects involve:
• src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC
address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the packet
is discarded.
• dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero,
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
To Next Page
Loading...
Need help?
General