[x]

Configuring ARP attack detection > Configuring user validity check

 

 Next

Configuring user validity check

User validity check compares the sender IP and sender MAC in the received ARP packet with the matching criteria in the following order:

  1. User validity check rules.

    • If a match is found, the device processes the ARP packet according to the rule.

    • If no match is found or no user validity check rule is configured, proceeds to step 2.

  2. Static IP source guard bindings and DHCP snooping entries.

    • If a match is found, the device forwards the ARP packet.

    • If no match is found, the device discards the ARP packet.

Static IP source guard bindings are created by using the ip source binding command. For more information, see "Configuring IP source guard."

DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide.

Configuration guidelines

When you configure user validity check, follow these guidelines:

Configuration procedure

To configure user validity check:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. (Optional.) Configure a user validity check rule.

arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address [ mask ] | any } [ vlan vlan-id ]

By default, no user validity check rule is configured.

3. Enter VLAN view.

vlan vlan-id

N/A

4. Enable ARP attack detection.

arp detection enable

By default, ARP attack detection is disabled.

5. Return to system view.

quit

N/A

6. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.

interface interface-type interface-number

N/A

7. (Optional.) Configure the interface as a trusted interface excluded from ARP attack detection.

arp detection trust

By default, an interface is untrusted.

prev

 

up

 next

Configuring ARP attack detection 

home

 Configuring ARP packet validity check

© Copyright 2017 Hewlett Packard Enterprise Development LP