379
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VLAN view.
vlan vlan-id N/A
3. Enable ARP detection for the
VLAN.
arp detection enable Disabled by default.
4. Return to system view.
quit N/A
5. Enable ARP packet validity
check and specify the objects to
be checked.
arp detection validate { dst-mac | ip |
src-mac } *
Disabled by default.
6. Enter Layer 2 Ethernet
port/Layer 2 aggregate
interface view.
interface interface-type
interface-number
N/A
7. Configure the port as a trusted
port on which ARP detection
does not apply.
arp detection trust
Optional.
The port is an untrusted port
by default.
Configuring ARP restricted forwarding
ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted ports
and have passed ARP detection in the following cases:
• If the packets are ARP requests, they are forwarded through the trusted ports.
• If the packets are ARP responses, they are forwarded according to their destination MAC address.
If no match is found in the MAC address table, they are forwarded through the trusted ports.
Before performing the following configuration, make sure you have configured the arp detection enable
command.
To enable ARP restricted forwarding:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VLAN view.
vlan vlan-id N/A
3. Enable ARP restricted forwarding.
arp restricted-forwarding enable Disabled by default
Configuring the ARP detection logging function
The ARP detection logging function enables a device to generate ARP detection log messages when ARP
packet attacks are detected. An ARP detection log message can include the following information:
• Receiving interface of the ARP packets.
• Sender IP address.
• Total number of ARP packets dropped.
The following is an example of an ARP detection log message:
Detected an inspection occurred on interface GigabitEthernet 1/0/1 with IP address
172.18.48.55 (Totally 10 packets dropped).
To Next Page
Loading...
Need help?
General
