Configuring ARP packet validity check
About ARP packet validity check
ARP packet validity check does not check ARP packets received on ARP trusted interfaces. To check ARP packets received on untrusted interfaces, you can specify the following objects to be checked:
src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.
dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.
Prerequisites
Before you configure ARP packet validity check, you must first configure user validity check. For more information about user validity check configuration, see "Configuring user validity check."
Procedure
Enter system view.
system-view
Enter VLAN view.
vlan vlan-id
Enable ARP attack detection.
arp detection enable
By default, ARP attack detection is disabled.
Enable ARP packet validity check.
Return to system view.
quit
Enable ARP packet validity check and specify the objects to be checked.
arp detection validate { dst-mac | ip | src-mac } *
ARP packet validity check is disabled.
(Optional.) Configure the interface that does not require ARP packet validity check as a trusted interface.
Enter interface view.
interface interface-type interface-number
Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate interface.
Configure the interface as a trusted interface excluded from ARP attack detection.
arp detection trust
By default, an interface is untrusted.