Configuring ARP packet validity check
Enable validity check for ARP packets received on untrusted interfaces and specify the following objects to be checked:
src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.
dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.
To configure ARP packet validity check:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter VLAN view. | vlan vlan-id | N/A |
3. Enable ARP attack detection. | arp detection enable | By default, ARP attack detection is disabled. |
4. Return to system view. | quit | N/A |
5. Enable ARP packet validity check and specify the objects to be checked. | arp detection validate { dst-mac | ip | src-mac } * | By default, ARP packet validity check is disabled. |
6. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. | interface interface-type interface-number | N/A |
7. (Optional.) Configure the interface as a trusted interface excluded from ARP attack detection. | arp detection trust | By default, an interface is untrusted. |