Configuring ARP filtering

The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.

An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled normally. If not, the packet is discarded.

To configure ARP filtering:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.

interface interface-type interface-number

N/A

3. Enable ARP filtering and configure a permitted entry.

arp filter binding ip-address mac-address

This feature is disabled by default.

You can configure up to eight permitted entries on an interface.

The arp filter source and arp filter binding command cannot be both configured on an interface.

If ARP filtering works with ARP detection, MFF, and ARP snooping, ARP filtering applies first.