R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

421

422

423

424

425

426

427

428

429

430

411

Configuring user validity check

Upon receiving an ARP packet from an ARP untrusted interface, the device matches the sender IP and

MAC addresses against the following entries:

• Static IP source guard binding entries.

• DHCP snooping entries.

If a match is found, the ARP packet is considered valid and is forwarded. If no match is found, the ARP

packet is considered invalid and is discarded.

Static IP source guard binding entries are created by using the ip source binding command. For more

information, see "Configuring IP source guard."

DHCP snooping entries are automatically generated by DHCP snooping. For more information, see

Layer 3—IP Services Configuration Guide.

Configuration guidelines

When you configure user validity check, follow these guidelines:

• Make sure at least one of static IP source guard binding entries and DHCP snooping entries is

available for user validity check. Otherwise, ARP packets received from ARP untrusted ports are

discarded.

• You must specify a VLAN for an IP source guard binding entry. Otherwise, no ARP packets can

match the IP source guard binding entry.

Configuration procedure

To configure user validity check:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VLAN view.

vlan vlan-id N/A

3. Enable ARP detection.

arp detection enable By default, ARP detection is disabled.

4. Return to system view.

quit N/A

5. Enter Layer 2 Ethernet interface

view.

interface interface-type

interface-number

N/A

6. (Optional.) Configure the

interface as a trusted interface

excluded from ARP detection.

arp detection trust By default, an interface is untrusted.

Configuring ARP packet validity check

Enable validity check for ARP packets received on untrusted ports and specify the following objects to be

checked:

• src-mac—Checks whether the sender MAC address in the message body is identical to the source

MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the

packet is discarded.

• dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero,

all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is

considered invalid and discarded.