Configuring arp attack detection – H3C Technologies H3C WX3000 Series Unified Switches User Manual

39-6

To do…

Use the command…

Remarks

Enable the ARP entry
checking function (that is,
disable the device from
learning ARP entries with
multicast MAC addresses)

arp check enable

Optional
By default, the ARP entry checking
function is enabled.

z

Static ARP entries are valid as long as the device operates normally. But some operations, such as
removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries
invalid and therefore removed automatically.

z

As for the arp static command, the value of the vlan-id argument must be the ID of an existing
VLAN, and the port identified by the interface-type and interface-number arguments must belong to
the VLAN.

z

Currently, static ARP entries cannot be configured on the ports of an aggregation group.

Configuring ARP Attack Detection

Follow these steps to configure the ARP attack detection function:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable DHCP snooping

dhcp-snooping

Required
By default, the DHCP snooping
function is disabled.

Enter Ethernet port view

interface interface-type
interface-number

—

Specify the current port as a
trusted port

dhcp-snooping trust

Required
By default, after DHCP snooping is
enabled, all ports of a device are
untrusted ports.

Quit to system view

quit

—

Enter VLAN view

vlan vlan-id

—

Enable the ARP attack detection
function

arp detection enable

Required
By default, ARP attack detection is
disabled on all ports.

Quit to system view

quit

—

Enter Ethernet port view

interface interface-type
interface-number

—

Configure the port as an ARP
trusted port

arp detection trust

Optional
By default, a port is an untrusted
port.