Configuring authorized arp, Configuration procedure, Configuring arp detection – H3C Technologies H3C S6300 Series Switches User Manual

329

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable the ARP active

acknowledgement feature.

arp active-ack [ strict ]
enable

By default, the ARP active
acknowledgement feature is disabled.

Configuring authorized ARP

Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or

dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP

relay agent, see Layer 3—IP Services Configuration Guide.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries to prevent user
spoofing and allows only authorized clients to access network resources.

Configuration procedure

To enable authorized ARP:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter VLAN interface view.

interface interface-type

interface-number

N/A

3.

Enable authorized ARP on the
interface.

arp authorized enable

By default, authorized ARP is
disabled.

Configuring ARP detection

ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user

spoofing and gateway spoofing attacks. ARP detection does not check ARP packets received from ARP

trusted ports.
ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding

functions.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and

then the latter applies.

Configuring user validity check

Upon receiving an ARP packet from an ARP untrusted interface, the device matches the sender IP and

MAC addresses with the following entries:

•

Static IP source guard binding entries

•

DHCP snooping entries.

If a match is found, the ARP packet is considered valid and is forwarded. If no match is found, the ARP

packet is considered invalid and is discarded.