428
Configuration example
Network requirements
As shown in Figure 128, Host B launches gateway spoofing attacks to Switch B. As a result, traffic
that Switch B intends to send to Switch A is sent to Host B.
Configure Switch B to block such attacks.
Figure 128 Network diagram
Configuration procedure
# Configure ARP gateway protection on Switch B.
<SwitchB> system-view
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] arp filter source 10.1.1.1
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] arp filter source 10.1.1.1
Verifying the configuration
# Verify that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 discard the incoming ARP packets
whose sender IP address is the IP address of the gateway.
Configuring ARP filtering
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP
packet against permitted entries. If a match is found, the packet is handled correctly. If not, the
packet is discarded.
Configuration guidelines
Follow these guidelines when you configure ARP filtering:
• You can configure a maximum of eight permitted entries on an interface.
• Do not configure both the arp filter source and arp filter binding commands on an interface.
Switch A
Switch B
Host A Host B
Gateway
GE1/0/1
GE1/0/3
GE1/0/2
10.1.1.1/24
To Next Page
Loading...
Need help?
General