R0106-HP MSR Router Series Security Configuration Guide(V7)
407
Configuring ARP packet source MAC consistency
check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet
header is different from the sender MAC address in the message body. This feature allows the gateway
to learn correct ARP entries.
To enable ARP packet source MAC address consistency check:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP packet source MAC address
consistency check.
arp valid-check enable
By default, ARP packet source
MAC address consistency check
is disabled.
Configuring ARP active acknowledgement
Configure this feature on gateways to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. For more
information about its working mechanism, see ARP Attack Protection Technology White Paper.
In strict mode, a gateway can learn an entry only when ARP active acknowledgement is based on the
correct ARP resolution.
To configure ARP active acknowledgement:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the ARP active
acknowledgement function.
arp active-ack [ strict ]
enable
By default, ARP active acknowledgement
function is disabled.
Configuring authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or
dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP
relay agent, see Layer 3—IP Services Configuration Guide.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries to prevent user
spoofing and allows only authorized clients to access network resources.
Configuration procedure
To enable authorized ARP:
Ste
p
Command
Remarks
1. Enter system view.
system-view
N/A