R3303-HP 6600/HSR6600 Routers Security Configuration Guide

528

Figure 254 Network diagram

Configuration procedure

# Configure ARP gateway protection on Router B.

<RouterB> system-view

[RouterB] interface gigabitethernet 3/0/1

[RouterB-GigabitEthernet3/0/1] port link-mode bridge

[RouterB-GigabitEthernet3/0/1] arp filter source 10.1.1.1

[RouterB-GigabitEthernet3/0/1] quit

[RouterB] interface gigabitethernet 3/0/2

[RouterB-GigabitEthernet3/0/2] port link-mode bridge

[RouterB-GigabitEthernet3/0/2] arp filter source 10.1.1.1

After the configuration is complete, Router B discards the ARP packets whose source IP address is that of

the gateway.

Configuring ARP filtering

NOTE:

This feature is supported only when SAP modules operate in bridge mode.

The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.

An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet

against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is

discarded.

Follow these guidelines when you configure ARP filtering:

• You can configure up to eight permitted entries on an interface.

• The arp filter source and arp filter binding command cannot be both configured on an interface.

• If ARP filtering works with ARP detection and ARP snooping, ARP filtering applies first.

To configure ARP filtering: