315
[SwitchB-GigabitEthernet1/0/2] user-bind ip-address 10.1.1.6 mac-address 0001-0203-0607
vlan 10
[SwitchB-GigabitEthernet1/0/2] quit
# Enable the checking of the MAC addresses and IP addresses of ARP packets.
[SwitchB] arp detection validate dst-mac ip src-mac
# Configure port isolation.
[SwitchB] port-isolate group 2
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port-isolate enable group 2
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port-isolate enable group 2
[SwitchB-GigabitEthernet1/0/2] quit
After the preceding configurations are complete, when ARP packets arrive at interfaces GigabitEthernet
1/0/1 and GigabitEthernet 1/0/2, their MAC and IP addresses are checked, and then the packets are
checked against the static IP Source Guard binding entries and finally DHCP snooping entries. However,
ARP broadcast requests sent from Host A can pass the check on Switch B. Port isolation fails.
# Configure ARP restricted forwarding.
[SwitchB] vlan 10
[SwitchB-vlan10] arp restricted-forwarding enable
[SwitchB-vlan10] quit
Then, Switch B forwards ARP broadcast requests from Host A to Switch A through the trusted port
GigabitEthernet 1/0/3, and thus Host B cannot receive such packets. Port isolation works normally.
Configuring ARP gateway protection
Introduction
The ARP gateway protection feature, if configured on ports not connected with the gateway, can block
gateway spoofing attacks.
When such a port receives an ARP packet, it checks whether the sender IP address in the packet is
consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet
normally.
Configuration procedure
Follow these steps to configure ARP gateway protection:
To do… Use the command…
Remarks
Enter system view system-view —
Enter Layer 2 Ethernet port view/Layer
2 aggregate interface view
interface interface-type
interface-number
—
Enable ARP gateway protection for a
specified gateway
arp filter source ip-address
Required
Disabled by default.
To Next Page
Loading...
Need help?
General