Configuring arp attack detection – H3C Technologies H3C S3100 Series Switches User Manual

1-6

Operation

Command

Remarks

Configure the ARP aging timer

arp timer aging aging-time

Optional

By default, the ARP aging
timer is set to 20 minutes.

Enable the ARP entry checking
function (that is, disable the switch
from learning ARP entries with
multicast MAC addresses)

arp check enable

Optional

By default, the ARP entry
checking function is
enabled.

z

Static ARP entries are valid as long as the Ethernet switch operates normally. But some operations,

such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP

entries invalid and therefore removed automatically.

z

As for the arp static command, the value of the vlan-id argument must be the ID of an existing

VLAN, and the port identified by the interface-type and interface-number arguments must belong to

the VLAN.

z

Currently, static ARP entries cannot be configured on the ports of an aggregation group.

Configuring ARP Attack Detection

Among the S3100 series Ethernet switches, only the S3100-EI series support ARP attack detection

function.

Table 1-5 Configure the ARP attack detection function

Operation

Command

Remarks

Enter system view

system-view

—

Enable DHCP snooping

dhcp-snooping

Required

By default, the DHCP snooping
function is disabled.

Enter Ethernet port view

interface interface-type
interface-number

—

Specify the current port as a
trusted port

dhcp-snooping trust

Required

By default, after DHCP snooping is
enabled, all ports of a switch are
untrusted ports.

Quit to system view

quit

—

Enter VLAN view

vlan vlan-id

—