Configuring ARP packet validity check

About ARP packet validity check

ARP packet validity check does not check ARP packets received on ARP trusted interfaces. To check ARP packets received on untrusted interfaces, you can specify the following objects to be checked:

Prerequisites

Before you configure ARP packet validity check, you must first configure user validity check. For more information about user validity check configuration, see "Configuring user validity check."

Procedure

  1. Enter system view.

    system-view

  2. Enter VLAN view.

    vlan vlan-id

  3. Enable ARP attack detection.

    arp detection enable

    By default, ARP attack detection is disabled.

  4. Enable ARP packet validity check.

    1. Return to system view.

      quit

    2. Enable ARP packet validity check and specify the objects to be checked.

      arp detection validate { dst-mac | ip | src-mac } *

      ARP packet validity check is disabled.

  5. (Optional.) Configure the interface that does not require ARP packet validity check as a trusted interface.

    1. Enter interface view.

      interface interface-type interface-number

      Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate interface.

    2. Configure the interface as a trusted interface excluded from ARP attack detection.

      arp detection trust

      By default, an interface is untrusted.