417
1. Enter system view.
system-view
N/A
2.
Enable ARP packet source MAC
address consistency check.
arp valid-check enable
By default, ARP packet source
check is disabled.
Configuring ARP active acknowledgement
Configure this feature on gateways to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
In strict mode, a gateway performs more strict validity checks before creating an ARP entry:
• Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but
does not create an ARP entry.
• Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP
address:
ï‚¡ If yes, the gateway performs active acknowledgement. When the ARP reply is verified as
valid, the gateway creates an ARP entry.
ï‚¡ If no, the gateway discards the packet.
To configure ARP active acknowledgement:
1. Enter system view.
N/A
2.
acknowledgement feature.
arp active-ack
[
strict
]
enable
By default, this feature is disabled.
Configuring authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP
server or dynamic client entries on the DHCP relay agent. For more information about DHCP server
and DHCP relay agent, see Layer 3—IP Services Configuration Guide.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries. This
feature prevents user spoofing and allows only authorized clients to access network resources.
Configuration procedure
To enable authorized ARP:
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
The device supports the following
interface types:
• Layer 3 Ethernet interface.
• Layer 3 aggregate interface.
• VLAN interface.
To Next Page
Loading...
Need help?
General