Configuring arp active acknowledgement, Configuring authorized arp, Configuration procedure – H3C Technologies H3C S12500-X Series Switches User Manual
Page 234
222
135B
Configuring ARP packet source MAC consistency
check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet
header is different from the sender MAC address in the message body, so that the gateway can learn
correct ARP entries.
To enable ARP packet source MAC address consistency check:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable ARP packet source MAC address
consistency check.
arp valid-check enable
By default, ARP packet source
MAC address consistency check
is disabled.
136B
Configuring ARP active acknowledgement
Configure this feature on gateways to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. For more
information about its working mechanism, see ARP Attack Protection Technology White Paper.
In strict mode, a gateway can learn an entry only when ARP active acknowledgement is based on the
correct ARP resolution.
To configure ARP active acknowledgement:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable the ARP active
acknowledgement function.
arp active-ack [ strict ]
enable
By default, ARP active acknowledgement
function is disabled.
137B
Configuring authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or
dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP
relay agent, see Layer 3—IP Services Configuration Guide.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries to prevent user
spoofing and allows only authorized clients to access network resources.
307B
Configuration procedure
To enable authorized ARP: