4000 Router Series Security Configuration Guide

289

Figure 83 Network diagram

Configuration procedure

# Configure ARP gateway protection on Switch B.

<SwitchB> system-view

[SwitchB] interface ethernet 1/1

[SwitchB-Ethernet1/1] arp filter source 10.1.1.1

[SwitchB-Ethernet1/1] quit

[SwitchB] interface ethernet 1/2

[SwitchB-Ethernet1/2] arp filter source 10.1.1.1

After the configuration is complete, Ethernet 1/1 and Ethernet 1/2 discard the incoming ARP packets

whose sender IP address is the IP address of the gateway.

Configuring ARP filtering

NOTE:

This feature is not supported in the current release, and it is reserved for future use.

The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.

An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet

against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is

discarded.

Configuration guidelines

Follow these guidelines when you configure ARP filtering:

• You can configure a maximum of eight permitted entries on an interface.

• Do not configure both the arp filter source and arp filter binding commands on an interface.

• If ARP filtering works with ARP detection, ARP snooping, and ARP fast-reply, ARP filtering applies

first.