Enabling arp detection in svlans, Configuring an uplink policy – H3C Technologies H3C S7500E Series Switches User Manual

21-11

Enabling ARP detection in SVLANs

The ARP detection function enables a switch to modify the VLAN attributes of ARP packets, which is
impossible under the normal ARP packet processing procedure. For more information about ARP
detection, see ARP Attack Protection Configuration in the Security Configuration Guide.

Follow these steps to enable ARP detection in all SVLANs:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Enter VLAN view

vlan

vlan-id

––

Enable ARP detection

arp detection enable

Required

Disabled by default.

To defend against ARP attacks, enable ARP detection also in all CVLANs.

Configuring an uplink policy

Follow these steps to configure an uplink policy to map a group of CVLANs to one SVLAN:

To do...

Use the command...

Remarks

Enter system view

system-view

—

Create a class and enter class

view

traffic classifier

tcl-name

operator

or

Configure multiple CVLANs as

match criteria

if-match customer-vlan-id

{ vlan-id-list | vlan-id1 to vlan-id2 }

Return to system view

quit

Required

Repeat these steps to configure

one class for each group of

CVLANs.

Create a traffic behavior and enter

traffic behavior view

traffic behavior behavior-name

Configure an SVLAN marking

action

remark service-vlan-id vlan-id

Return to system view

quit

Required

Repeat these steps to configure

one behavior for each SVLAN.

Create a QoS policy and enter

QoS policy view

qos policy

policy-name

Required

Map the CVLANs to the SVLAN by

associating the class with the

behavior

classifier

tcl-name behavior

behavior-name

mode

dot1q-tag-manipulation

Required

Repeat this step to create other

CVLANs-to-SVLAN mappings.