H3C Technologies H3C S5120 Series Switches User Manual

2-5

MAC addresses, port index, and VLAN ID) are consistent, the ARP packet passes the check; if not,

the ARP packet cannot pass the check.

z

Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP

packet.

z

If ARP detection is not enabled for the VLAN, the ARP packet is not checked even if it is received

from an ARP untrusted port.

2) After you enable ARP detection based on 802.1X security entries, the device, upon receiving an

ARP packet from an ARP untrusted port, compares the ARP packet against the 802.1X security

entries.

z

If an entry with identical source IP and MAC addresses, port index, and VLAN ID is found, the ARP

packet is considered valid.

z

If an entry with no matching IP address but with a matching OUI MAC address is found, the ARP

packet is considered valid.

Otherwise, the packet is considered invalid and discarded.

3) After you enable ARP detection based on static IP-to-MAC bindings, the device, upon receiving an

ARP packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of

the ARP packet against the static IP-to-MAC bindings.

z

If an entry with a matching IP address but a different MAC address is found, the ARP packet is

considered invalid and discarded.

z

If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid

and can pass the detection.

z

If no match is found, the ARP packet is considered valid and can pass the detection.

If all the detection types are specified, the system uses static IP-to-MAC binding entries first, then

DHCP snooping entries, and then 802.1X security entries. To prevent gateway spoofing, ARP detection

based on IP-to-MAC binding entries is required. After passing this type of ARP detection, users that can

pass ARP detection based on DHCP snooping entries or 802.1X security entries are considered to be

valid. The last two detection types are used to prevent user spoofing. You can select detection types

according to the networking environment.

z

If all access clients acquire IP addresses through DHCP, it is recommended that you enable DHCP

snooping and ARP detection based on DHCP snooping entries on your access device.

z

If access clients are large in number and most of them use static IP addresses,. If access clients

are 802.1X clients, it is recommended that you enable 802.1X authentication, upload of client IP

addresses, and ARP detection based on 802.1X security entries on your access device. After that,

the access device uses mappings between IP addresses, MAC addresses, VLAN IDs, and ports of

802.1X authentication clients for ARP detection.

Follow these steps to enable ARP detection for a VLAN and specify a trusted port:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter VLAN view

vlan vlan-id

—

Enable ARP detection for the
VLAN

arp detection enable

Required

Disabled by default. That is, ARP
detection based on DHCP snooping
entries/802.1X security entries/static
IP-to-MAC bindings is not enabled by
default.