Configuring the arp packet rate limit function – H3C Technologies H3C S3600 Series Switches User Manual
Page 608
2-7
To do…
Use the command…
Remarks
Configure the port as an ARP
trusted port
arp detection trust
Optional
By default, a port is an ARP
untrusted port.
Generally, the upstream port of
a switch is configured as a
trusted port.
Quit to system view
quit
—
Enter VLAN view
vlan vlan-id
—
Enable the ARP attack
detection function
arp detection enable
Required
By default, ARP attack
detection is disabled on all
ports.
Enable ARP restricted
forwarding
arp restricted-forwarding
enable
Optional
Disabled by default.
z
When most clients acquire IP addresses through DHCP and some clients use static IP addresses,
you need to enable DHCP snooping and configure static IP binding entries on the switch. These
functions can cooperate with ARP attack detection to check the validity of packets.
z
You need to use ARP attack detection based on authenticated 802.1x clients together with
functions of both MAC-based 802.1x authentication and ARP attack detection.
z
Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S3600 series Ethernet
switch is the same as the default VLAN ID of the port. If the VLAN tag of an ARP packet is different
from the default VLAN ID of the receiving port, the ARP packet cannot pass the ARP attack
detection based on the IP-to-MAC bindings.
z
Before enabling ARP restricted forwarding, make sure you have enabled ARP attack detection and
configured ARP trusted ports.
z
You are not recommended to configure ARP attack detection on the ports of a fabric or an
aggregation group.
Configuring the ARP Packet Rate Limit Function
Follow these steps to configure the ARP packet rate limit function:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enter Ethernet port view
interface interface-type
interface-number
—
Enable the ARP packet rate
limit function
arp rate-limit enable
Required
By default, the ARP packet rate
limit function is disabled on a
port.