Introduction, Configuration procedure – H3C Technologies H3C S5120 Series Switches User Manual

2-10

# Enable ARP detection for VLAN 10.

[SwitchA] vlan 10

[SwitchA-vlan10] arp detection enable

# Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is

an untrusted port by default).

[SwitchA-vlan10] interface GigabitEthernet 1/0/3

[SwitchA-GigabitEthernet1/0/3] arp detection trust

[SwitchA-GigabitEthernet1/0/3] quit

# Enable ARP detection based on 802.1X security entries.

[SwitchA] arp detection mode dot1x

After the preceding configurations, when ARP packets arrive at interfaces GigabitEthernet 1/0/1 and

GigabitEthernet 1/0/2, they are checked against 802.1X security entries.

Configuring Periodic Sending of Gratuitous ARP Packets

Introduction

If an attacker sends spoofed gratuitous ARP packets to hosts on a network, traffic that the hosts want to

send to the gateway is sent to the attacker instead. As a result, the hosts cannot access external

networks.

To prevent such gateway spoofing attacks, you can enable the gateway to send gratuitous ARP packets

containing its primary IP address or one of its manually configured secondary IP addresses at a specific

interval. In this way, each host can learn correct gateway address information.

Configuration Procedure

Follow these steps to configure the gateway to send ARP packets periodically:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter interface view

interface interface-type
interface-number

—

Enable periodic sending of
gratuitous ARP packets and set the
sending interval

arp anti-attack
send-gratuitous-arp [ interval
milliseconds ]

Required

Disabled by default.

z

This feature takes effect only when the link of the enabled interface goes up and an IP address has

been assigned to the interface.

z

If you change the interval for sending gratuitous ARP packets, the configuration is effective at the

next sending interval.