Configuring ARP sender IP address checking
This feature allows a gateway to check the sender IP address of an ARP packet in a VLAN before ARP learning. If the sender IP address is within the allowed IP address range, the gateway continues ARP learning. If the sender IP address is out of the range, the gateway determines the ARP packet as an attack packet and discards it.
When you configure the ARP sender IP address checking feature in a VLAN, follow these restrictions and guidelines:
If the VLAN is a sub-VLAN and is associated with a super VLAN, configure this checking feature only in the sub-VLAN.
If Layer 3 communication is configured between the secondary VLANs associated with a primary VLAN, configure this feature in the primary VLAN. If Layer 3 communication is not configured between the secondary VLANs associated with a primary VLAN, configure this feature in the intended VLAN.
To configure the ARP sender IP address checking feature:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter VLAN view. | vlan vlan-id | N/A |
3. Enable the ARP sender IP address checking feature and specify the IP address range. | arp sender-ip-range start-ip-address end-ip-address | By default, the ARP sender IP address checking feature is disabled. |