422
2. Enter VLAN view.
vlan
vlan-id N/A
3. Enable ARP attack detection.
arp detection enable
By default, ARP attack detection is
disabled.
4. Return to system view.
quit
N/A
5. Enable ARP packet validity check
and specify the objects to be
checked.
{
dst-mac
|
ip
|
src-mac
}
*
By default, ARP pac
check is disabled.
6. Enter Layer 2 Ethernet interface
view or Layer 2 aggregate
interface view.
interface
interface-type
interface-number
N/A
7. (Optional.) Configure the interface
as a trusted interface excluded
from ARP attack detection.
arp detection trust
By default, an interface is untrusted.
Configuring ARP restricted forwarding
ARP restricted forwarding
does not apply to ARP packets with multiport MAC as their destination
ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted
interfaces and have passed user validity check as follows:
• If the packets are ARP requests, they are forwarded through the trusted interface.
• If the packets are ARP replies, they are forwarded according to their destination MAC address.
If no match is found in the MAC address table, they are forwarded through the trusted interface.
Configure user validity check before you configure ARP restricted forwarding.
To enable ARP restricted forwarding:
1. Enter system view.
N/A
2. Enter VLAN view.
vlan
vlan-id N/A
3. Enable ARP restricted forwarding.
arp restricted-forwarding
By default, ARP restricted
forwarding is disabled.
Enabling ARP attack detection logging
This feature is available in Release 1121 and later.
The ARP attack detection logging feature enables a device to generate ARP attack detection log
messages when illegal ARP packets are detected. An ARP attack detection log message contains
the following information:
1. Receiving interface of the ARP packets.
2. Sender IP address.
3. Total number of dropped ARP packets.
To Next Page
Loading...
Need help?
General