Configuration example, Network requirements, Configuration procedure – H3C Technologies H3C S6300 Series Switches User Manual

Page 350: Verifying the configuration, Configuring arp filtering, Configuration guidelines

335

Configuration example

Network requirements

As shown in

Figure 110

, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that

Switch B intends to send to Switch A is sent to Host B.
Configure Switch B to block such attacks.

Figure 110 Network diagram

Configuration procedure

# Configure ARP gateway protection on Switch B.

system-view

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] arp filter source 10.1.1.1

[SwitchB-Ten-GigabitEthernet1/0/1] quit

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] arp filter source 10.1.1.1

Verifying the configuration

# Verify that Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 discard the incoming ARP
packets whose sender IP address is the IP address of the gateway.

Configuring ARP filtering

The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet
against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is

discarded.

Configuration guidelines

Follow these guidelines when you configure ARP filtering:

This manual is related to the following products:

H3C S5820V2 Series Switches H3C S5830 Series Switches H3C S5830V2 Series Switches H3C S3600V2 Series Switches