Configuring arp automatic scanning and fixed arp, Configuration guidelines – H3C Technologies H3C S12500-X Series Switches User Manual

Page 241

Advertising
background image

229

[SwitchB-vlan10] arp detection enable

# Configure the upstream interface as a trusted interface (an interface is an untrusted interface by

default).

[SwitchB-vlan10] interface ten-gigabitethernet 1/0/3

[SwitchB-Ten-GigabitEthernet1/0/3] arp detection trust

[SwitchB-Ten-GigabitEthernet1/0/3] quit

# Configure a static IP source guard binding entry on interface Ten-GigabitEthernet 1/0/2 for user

validity check.

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address

0001-0203-0607 vlan 10

[SwitchB-Ten-GigabitEthernet1/0/2] quit

# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP

packets.

[SwitchB] arp detection validate dst-mac ip src-mac

After the configurations are completed, ARP packets received on interfaces Ten-GigabitEthernet
1/0/1 and Ten-GigabitEthernet 1/0/2 have their MAC and IP addresses checked first, and then

are checked against the static IP source guard binding entries and finally DHCP snooping entries.

139B

Configuring ARP automatic scanning and fixed ARP

ARP automatic scanning is usually used together with the fixed ARP feature in small-scale networks such

as a cybercafe.
With ARP automatic scanning enabled on an interface, the device automatically performs the following

functions:

Scans neighbors on the interface.

Sends ARP requests to the neighbors.

Obtains their MAC addresses.

Creates dynamic ARP entries.

Fixed ARP allows the device to convert existing dynamic ARP entries (including those generated through

ARP automatic scanning) to static ARP entries. The fixed ARP feature prevents ARP entries from being
modified by attackers. Static ARP entries can also be manually configured by the arp static command.

315B

Configuration guidelines

When you configure ARP automatic scanning and fixed ARP, follow these guidelines:

IP addresses existing in ARP entries are not scanned.

ARP automatic scanning might take some time. To stop an ongoing scan, press Ctrl + C. Dynamic
ARP entries are created based on ARP replies received before the scan is terminated.

The arp fixup command is a one-time operation and converts existing dynamic ARP entries to static
ones.

The device has a limit on the total number of static ARP entries, including the manually configured
and the converted. As a result, some dynamic ARP entries might fail the conversion.

Advertising
This manual is related to the following products:

H3C S5560 Series Switches, H3C WX6000 Series Access Controllers, H3C WX5000 Series Access Controllers, H3C WX3000 Series Unified Switches, H3C LSWM1WCM10 Access Controller Module, H3C LSWM1WCM20 Access Controller Module, H3C LSQM1WCMB0 Access Controller Module, H3C LSRM1WCM2A1 Access Controller Module, H3C LSBM1WCM2A0 Access Controller Module, H3C S9800 Series Switches, H3C S5130 Series Switches, H3C S5120 Series Switches

Popular Brands
Popular manuals