Configuration Guide Configuring ARP Check
5.2.1 Filtering ARP Packets in Networks
Scenario
Check ARP packets from distrusted ports and filter out ARP packets with addresses not matching the results assigned by the
DHCP server.
For example, in the following figure, the ARP packets sent by DHCP clients are checked.
The ports receiving ARP packets, the source MAC addresses of ARP packets, and the source IP addresses of ARP
packets shall be consistent with the snooped DHCP-assigned records.
Figure 5-2
S is an access device.
A and C are user PCs.
Deployment
Enable DHCP Snooping on S to realize DHCP monitoring.
Set all the downlink ports on S as DHCP distrusted ports.
Enable IP Source Guard and ARP Check on all distrusted ports on S to realize ARP packet filtration.
5.3 Features
Basic Concepts
Compatible Security Modules
Presently, the ARP Check supports the following security modules.
IP-based: IP-based mode: port security, and static configuration of IP Source Guard.
IP-MAC based: IP-MAC based mode: port security, global IP+MAC binding, 802.1X authorization, IP Source Guard,
GSN binding, and Web authentication.
Two Modes of APR Check
To Next Page
Loading...
Need help?
General
