beautypg.com

H3C Technologies H3C S7500E Series Switches User Manual

Page 257

background image

14-6

Configuring ARP Detection Based on Specified Objects

With this feature configured, the device permits the ARP packets received from an ARP trusted port to

pass directly, and checks the ARP packets received from an ARP untrusted port. You can specify

objects in the ARP packets to be detected. The objects involve:

z

src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source

MAC address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the

packet is discarded.

z

dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero,

all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is

considered invalid and discarded.

z

ip: Checks both the source and destination IP addresses in an ARP packet. The all-zero, all-one

or multicast IP addresses are considered invalid and the corresponding packets are discarded.

With this object specified, the source and destination IP addresses of ARP replies, and the source

IP address of ARP requests are checked.

Follow these steps to configure ARP detection based on specified objects:

To do…

Use the command…

Remarks

Enter system view

system-view

Enter VLAN view

vlan vlan-id

Enable ARP detection for the

VLAN

arp detection enable

Required

Disabled by default.

Return to system view

quit

Specify objects for ARP detection

arp detection validate { dst-mac

| ip | src-mac } *

Required

Not specified by default.

Enter Ethernet interface view

interface interface-type

interface-number

Configure the port as a trusted port

on which ARP detection does not

apply

arp detection trust

Optional

The port is an untrusted port by

default.

Enabling ARP Detection Based on Static IP Source Guard Binding Entries/DHCP
Snooping Entries/802.1X Security Entries/OUI MAC Addresses

With this feature enabled, the device compares the sender IP and MAC addresses of an ARP packet

received from the VLAN against the static IP Source Guard binding entries, DHCP snooping entries,

802.1X security entries, or OUI MAC addresses to prevent spoofing.

After you enable this feature for a VLAN,

z

Upon receiving an ARP packet from an ARP untrusted port, the device compares the sender IP

and MAC addresses of the ARP packet against the static IP Source Guard binding entries. If a

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: