4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR2003 AC Router

291

292

293

294

295

296

297

298

299

300

282

If both ARP packet validity check and user validity check are enabled, the former one applies first, and

then the latter applies.

Configuring user validity check

Upon receiving an ARP packet from an ARP untrusted interface, the device compares the sender IP and

MAC addresses against the static IP source guard binding entries, the DHCP snooping entries, and

802.1X security entries. If a match is found from those entries, the ARP packet is considered valid and is

forwarded. If no match is found, the ARP packet is considered invalid and is discarded.

Static IP source guard binding entries are created by using the ip source binding command. For more

information, see "Configuring IP source guard."

DHCP snooping entries are automatically generated by DHCP snooping. For more information, see

Layer 3—IP Services Configuration Guide.

802.1X security entries are generated by 802.1X. After a client passes 802.1X authentication and

uploads its IP address to an ARP detection enabled device, the device automatically generates an 802.1X

security entry. The 802.1X client must be enabled to upload its IP address to the device. For more

information, see "Configuring 802.1X."

Configuration guidelines

• Make sure at least one among static IP source guard binding entries, DHCP snooping entries, and

802.1X security entries is available for user validity check. Otherwise, ARP packets received from

ARP untrusted ports are discarded.

• You must specify a VLAN for an IP source guard binding entry. Otherwise, no ARP packets can

match the IP source guard binding entry.

Configuration procedure

To configure user validity check:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VLAN view.

vlan vlan-id N/A

3. Enable ARP detection.

arp detection enable By default, ARP detection is disabled.

4. Return to system view.

quit

N/A

5. Enter Layer 2 Ethernet interface

view.

interface interface-type

interface-number

N/A

6. (Optional.) Configure the

interface as a trusted interface

excluded from ARP detection.

arp detection trust By default, an interface is untrusted.

Configuring ARP packet validity check

Enable validity check for ARP packets received on untrusted ports and specify the following objects to be

checked: