Configuring user validity check
User validity check compares the sender IP and sender MAC in the received ARP packet with the matching criteria in the following order:
User validity check rules.
If a match is found, the device processes the ARP packet according to the rule.
If no match is found or no user validity check rule is configured, proceeds to step 2.
Static IP source guard bindings and DHCP snooping entries.
If a match is found, the device forwards the ARP packet.
If no match is found, the device discards the ARP packet.
Static IP source guard bindings are created by using the ip source binding command. For more information, see "Configuring IP source guard."
DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide.
Configuration guidelines
When you configure user validity check, follow these guidelines:
Make sure one or more of the following items is configured for user validity check:
User validity check rules.
Static IP source guard bindings.
DHCP snooping.
If none of the items is configured, all incoming ARP packets on ARP untrusted interfaces are discarded.
Specify the VLAN where ARP attack detection is enabled as the VLAN for IP source guard bindings. Otherwise, the IP source guard bindings do not take effect for user validity check.
Configuration procedure
To configure user validity check:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Configure a user validity check rule. | arp detection rule rule-id { deny | permit } ip { ip-address [ mask ] | any } mac { mac-address [ mask ] | any } [ vlan vlan-id ] | By default, no user validity check rule is configured. |
3. Enter VLAN view. | vlan vlan-id | N/A |
4. Enable ARP attack detection. | arp detection enable | By default, ARP attack detection is disabled. |
5. Return to system view. | quit | N/A |
6. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. | interface interface-type interface-number | N/A |
7. (Optional.) Configure the interface as a trusted interface excluded from ARP attack detection. | arp detection trust | By default, an interface is untrusted. |