280
NOTE:
You can enable ARP gateway protection for up to eight gateways on a port.
Commands arp filter source and arp filter binding cannot be both configured on a port.
If ARP gateway protection works with ARP detection, ARP gateway protection applies first.
ARP gateway protection configuration example
Network requirements
As shown in Figure 87, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that
Switch B intends to send to Switch A is sent to Host B.
Configure Switch B to block such attacks.
Figure 87 Network diagram for ARP gateway protection configuration
Switch A
Switch B
Host A Host B
Gateway
GE1/0/1
GE1/0/3
GE1/0/2
10.1.1.1/24
Configuration procedure
# Configure ARP gateway protection on Switch B.
<SwitchB> system-view
[SwitchB] interface GigabitEthernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] arp filter source 10.1.1.1
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface GigabitEthernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] arp filter source 10.1.1.1
After the configuration is complete, Switch B will discard the ARP packets whose source IP address is that
of the gateway.
Configuring ARP filtering
Introduction
To prevent gateway spoofing and user spoofing, the ARP filtering feature controls the forwarding of ARP
packets on a port.
To Next Page
Loading...
