364
Configuring authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or
dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP
relay agent, see Layer 3—IP Services Configuration Guide.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries. This feature
prevents user spoofing and allows only authorized clients to access network resources.
Configuration procedure
To enable authorized ARP:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter VLAN interface view.
interface interface-type
interface-number
N/A
3. Enable authorized ARP on the
interface.
arp authorized enable
By default, authorized ARP is
disabled.
Configuring ARP detection
ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user
spoofing and gateway spoofing attacks. ARP detection does not check ARP packets received from ARP
trusted ports.
ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding
functions.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and
then the latter applies.
Configuring user validity check
The device checks user validity upon receiving an ARP packet from an ARP untrusted interface as follows:
1. Uses the user validity check rules to match the sender IP and MAC addresses of the ARP packet.
{ If a match is found, the device processes the ARP packet according to the rule.
{ If no match is found, proceeds to step 2.
2. Uses static IP source guard bindings and DHCP snooping entries to match the sender IP and MAC
addresses of the ARP packet.
{ If a match is found, the device forwards the ARP packet.
{ If no match is found, the device discards the ARP packet.
Static IP source guard bindings are created by using the ip source binding command. For more
information, see "Configuring IP source guard."
To Next Page
Loading...
Need help?
General