Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
441442443444445446447448449450
50
NOTE:
This feature is supported only when SAP modules operate in bridge mode.
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet
against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is
discarded.
Follow these guidelines when you configure ARP filtering:
You can configure up to eight permitted entries on an interface.
The arp filter source and arp filter binding command cannot be both configured on an interface.
If ARP filtering works with ARP detection and ARP snooping, ARP filtering applies first.
To configure ARP filtering:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter Layer 2 Ethernet interface
view.
interface interface-type interface-number
N/A
3. Enable ARP filtering and
configure a permitted entry.
arp filter binding ip-address
mac-address
This feature is disabled by
default.
ARP filtering configuration example
Network requirements
As shown in Figure 144, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233,
respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234, respectively.
Configure ARP filtering on GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 of Router B to permit ARP
packets from only the two hosts.
Figure 144 Network diagram