R3303-HP HSR6800 Routers Security Configuration Guide
36
Configuring ARP active acknowledgement
Configure this feature on gateway devices to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
To configure ARP active acknowledgement:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the ARP active
acknowledgement function.
arp anti-attack active-ack enable Disabled by default.
Configuring authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or
dynamic client entries on the DHCP relay agent.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries to prevent user
spoofing and allows only authorized clients to access network resources.
Follow these guidelines when you configure authorized ARP:
• This feature is only supported on Layer 3 Ethernet interfaces.
• With the arp authorized enable command executed, an interface of a DHCP server (or a DHCP
relay agent) that does not support authorized ARP is disabled from dynamically learning ARP
entries and cannot generate authorized ARP entries.
• Static ARP entries can overwrite authorized ARP entries, and authorized ARP entries can overwrite
dynamic ARP entries. But authorized ARP entries cannot overwrite static ARP entries, and dynamic
ARP entries cannot overwrite authorized ARP entries.
For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration
Guide.
To enable authorized ARP:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure the DHCP server (or
DHCP relay agent) to support
authorized ARP.
dhcp update arp Not configured by default.
4. Enable authorized ARP on the
interface.
arp authorized enable Disabled by default.