Configuring ARP gateway protection

Configure ARP gateway protection on interfaces not connected with the gateway to prevent gateway spoofing attacks.

When such a port receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet normally.

To configure ARP gateway protection:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.

interface interface-type interface-number

N/A

3. Enable ARP gateway protection for a specified gateway.

arp filter source ip-address

Disabled by default.

You can enable ARP gateway protection for up to eight gateways on a port.

Commands arp filter source and arp filter binding cannot be both configured on a port.

If ARP gateway protection works with ARP detection, MFF and ARP snooping, ARP gateway protection applies first.