11-19
Configuring Advanced Threat Protection
Dynamic ARP Protection
Figure 11-9. Configuring Trusted Ports for Dynamic ARP Protection
Take into account the following configuration guidelines when you use
dynamic ARP protection in your network:
■ You should configure ports connected to other switches in the network
as trusted ports. In this way, all network switches can exchange ARP
packets and update their ARP caches with valid information.
■ Switches that do not support dynamic ARP protection should be sepa-
rated by a router in their own Layer 2 domain. Because ARP packets do
not cross Layer 2 domains, the unprotected switches cannot unknowingly
accept ARP packets from an attacker and forward them to protected
switches through trusted ports.
To configure one or more Ethernet interfaces that handle VLAN traffic as
trusted ports, enter the arp-protect trust command at the global configuration
level. The switch does not check ARP requests and responses received on a
trusted port.
An example of the arp-protect trust command is shown here:
HP Switch(config)# arp-protect trust b1-b4, d1
Syntax: [no] arp-protect trust <port-list>
port-list Specifies a port number or a range of port
numbers. Separate individual port numbers or
ranges of port numbers with a comma; for
example: c1-c3, c6.
To Next Page
Loading...
