Configuring the arp packet rate limit function – H3C Technologies H3C S3100 Series Switches User Manual
Page 491
1-7
Operation
Command
Remarks
Enable the ARP attack
detection function
arp detection enable
Required
By default, ARP attack detection is
disabled on all ports.
Quit to system view
quit
—
Enter Ethernet port view
interface interface-type
interface-number
—
Configure the port as an ARP
trusted port
arp detection trust
Optional
By default, a port is an untrusted
port.
Quit to system view
quit
—
Enter VLAN view
vlan vlan-id
—
Enable ARP restricted
forwarding
arp restricted-forwarding
enable
Optional
By default, the ARP restricted
forwarding function is disabled.
The device forwards legal ARP
packets through all its ports.
z
You need to enable DHCP snooping and configure DHCP snooping trusted ports on the switch
before configuring the ARP attack detection function. For more information about DHCP snooping,
refer to the DHCP snooping section in the part discussing DHCP in this manual.
z
Generally, the uplink port of a switch is configured as a trusted port.
z
Before enabling ARP restricted forwarding, make sure you enable ARP attack detection and
configure ARP trusted ports.
z
Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S3100-EI series
Ethernet switch is the same as the default VLAN ID of the port. If the VLAN tag of an ARP packet is
different from the default VLAN ID of the receiving port, the ARP packet cannot pass the ARP
attack detection based on the IP-to-MAC bindings.
z
When you use the ARP attack detection in cooperation with VLAN mapping, you need to enable
ARP attack detection in both the original VLAN and the mapped VLAN. For more information about
VLAN mapping, refer to VLAN-VPN Operation in this manual.
z
You are not recommended to configure ARP attack detection on the ports of an aggregation group.
Configuring the ARP Packet Rate Limit Function
Among the S3100 series Ethernet switches, only the S3100-EI series support ARP Packet Rate Limit
function.