R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

431

432

433

434

435

436

437

438

439

440

Ste

Command

Remarks

7. Configure the port as a trusted

port that is excluded from ARP

detection.

arp detection trust

Optional.

A port is an untrusted

port by default.

At least a user validity check rule, a static IP source guard binding entry, a DHCP snooping entry, or an

802.1X security entry must be available to perform user validity check. Otherwise, ARP packets received

from ARP untrusted ports are discarded.

You must specify a VLAN for an IP source guard binding entry. Otherwise, no ARP packets can match the

IP source guard binding entry.

Configuring ARP packet validity check

Perform this task to enable validity check for ARP packets received on untrusted ports and specify the

following objects to be checked:

• src-mac—Checks whether the sender MAC address in the message body is identical to the source

MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the

packet is discarded.

• dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero,

all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is

considered invalid and discarded.

• ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP

requests. All-one or multicast IP addresses are considered invalid and the corresponding packets

are discarded.

To configure ARP packet validity check:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VLAN view.

vlan vlan-id N/A

3. Enable ARP detection.

arp detection enable Disabled by default.

4. Return to system view.

quit N/A

5. Enable ARP packet validity check

and specify the objects to be

checked.

arp detection validate { dst-mac | ip |

src-mac } *

Disabled by default.

6. Enter Ethernet interface view.

interface interface-type

interface-number

N/A

7. Configure the port as a trusted

port that is excluded from ARP

detection.

arp detection trust

Optional.

The port is an untrusted

port by default.

Configuring ARP restricted forwarding

ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted

interfaces and have passed user validity check as follows: