Configuring arp attack detection – H3C Technologies H3C S3600 Series Switches User Manual

2-6

Follow these steps to configure ARP packet filtering based on gateway’s IP and MAC address:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter Ethernet port view

interface interface-type
interface-number

—

Configure ARP packet filtering
based on the gateway’s IP and
MAC addresses

arp filter binding ip-address
mac-address

Required

Not configured by default.

The arp filter source and arp filter binding commands are mutually exclusive on an Ethernet port.

That is, you can only configure ARP packet filtering based on gateway’s IP address, or based on

gateway’s IP and MAC addresses on an Ethernet port. Generally, ARP packet filtering based on

gateway's IP address is configured on the switch's port directly connected to a host, and ARP packet

filtering based on gateway's IP and MAC addresses is configured on the cascaded port or upstream

port.

Configuring ARP Attack Detection

Follow these steps to configure the ARP attack detection function:

To do…

Use the command…

Remarks

Enter system view

system-view

—

interface interface-type
interface-number

Create a static binding

ip source static binding
ip-address ip-address
[ mac-address mac-address ]

Enable DHCP snooping

dhcp-snooping

Enable ARP attack detection
based on IP-to-MAC bindings
of authenticated 802.1x clients

ip source static import dot1x

Required

Use at least one of the
commands.

By default, no IP static binding
is created, and the DHCP
snooping function and ARP
attack detection based on
authenticated 802.1x clients
are disabled.

Enter Ethernet port view

interface interface-type
interface-number

—

Specify the current port as a
trusted port

dhcp-snooping trust

Optional

After DHCP snooping is
enabled, you need to configure
the upstream port connected to
the DHCP server as a trusted
port.