309
NOTE:
• Static IP Source Guard binding entries are created by using the user-bind command. For more
information, see the chapter "IP source guard configuration."
• Dynamic DHCP snooping entries are automatically generated through the DHCP snoopin
function. Fo
more information, see the
Layer 3—IP Services Configuration Guide
.
• 802.1X security entries are generated by the 802.1X function. For more information, see the chapter
"802.1X configuration."
• For more information about voice VLANs and QUI MAC addresses, see the
Layer 2—LAN Switching
Configuration Guide
.
Follow these steps to enable ARP detection for a VLAN and specify a trusted port:
To do… Use the command…
Remarks
Enter system view system-view —
Enter VLAN view vlan vlan-id —
Enable ARP detection for the
VLAN
arp detection enable
Required
ARP detection based on static IP Source
Guard binding entries/DHCP snooping
entries/802.1X security entries/OUI MAC
addresses is not enabled by default.
Return to system view quit —
Enter Layer 2 Ethernet port
view/Layer 2 aggregate
interface view
interface interface-type
interface-number
—
Configure the port as a
trusted port on which ARP
detection does not apply
arp detection trust
Optional
The port is an untrusted port by default.
NOTE:
• When configuring this feature, you need to configure ARP detection based on at least static IP Source
Guard binding entries, DHCP snooping entries, or 802.1X security entries. Otherwise, all ARP packets
received from an ARP untrusted port will be discarded, except the ARP packets with an OUI MAC
address as the sender MAC address when voice VLAN is enabled.
• When configuring an IP Source Guard binding entry, you need to specify the VLAN; otherwise, no ARP
packet will pass the ARP detection based on static IP Source Guard binding entries.
Configuring ARP detection based on specified objects
With this feature configured, the switch permits the ARP packets received from an ARP trusted port to pass
directly, and checks the ARP packets received from an ARP untrusted port. You can specify objects in the
ARP packets to be detected. The objects involve:
• src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC
address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the packet
is discarded.
• dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero,
all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is
considered invalid and discarded.
To Next Page
Loading...
