Introduction – H3C Technologies H3C S3100 Series Switches User Manual

2

Among the S3100 series Ethernet switches, only the S3100-EI series support ARP Packet Filtering.

Follow these steps to configure ARP packet filtering based on gateway’s address:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter Ethernet port view

interface interface-type
interface-number

—

Configure ARP packet filtering
based on the gateway’s IP
address

arp filter source ip-address

Required

Not configured by default.

Configure ARP packet filtering
based on the gateway’s IP and
MAC addresses

arp filter binding ip-address
mac-address

Required

Not configured by default.

The arp filter source and arp filter binding commands are mutually exclusive on an Ethernet port.

That is, you can only configure ARP packet filtering based on gateway’s IP address, or based on

gateway’s IP and MAC addresses, but not both on an Ethernet port.

Configuring the Maximum Number of Dynamic ARP Entries a VLAN
Interface Can Learn

Introduction

To prevent ARP flood attacks, you can limit the number of ARP entries learned by a VLAN interface on

S3100-EI series Ethernet switches (operating as gateways). That is, you can set the maximum number

of dynamic ARP entries that a VLAN interface can learn. If the number of ARP entries learned by the

VLAN interface exceeds the specified upper limit, the VLAN interface stops learning ARP entries, thus

to avoid ARP flood attacks.

Configuring the Maximum Number of Dynamic ARP Entries that a VLAN Interface
Can Learn

Follow these steps to configure the maximum number of dynamic ARP entries that a VLAN interface

can learn:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enter VLAN interface view

interface vlan-interface
vlan-id

—