R0106-HP MSR Router Series Security Configuration Guide(V7)
418
Ste
p
Command
Remarks
3. Enable ARP gateway protection
for the specified gateway.
arp filter source ip-address
By default, ARP gateway
protection is disabled.
Configuration example
Network requirements
As shown in Figure 126, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that
Switch B intends to send to Switch A is sent to Host B.
Configure Switch B to block such attacks.
Figure 126 Network diagram
Configuration procedure
# Configure ARP gateway protection on Switch B.
<SwitchB> system-view
[SwitchB] interface gigabitethernet 2/1/1
[SwitchB-GigabitEthernet2/1/1] arp filter source 10.1.1.1
[SwitchB-GigabitEthernet2/1/1] quit
[SwitchB] interface gigabitethernet 2/1/2
[SwitchB-GigabitEthernet2/1/2] arp filter source 10.1.1.1
Verifying the configuration
# Verify that GigabitEthernet 2/1/1 and GigabitEthernet 2/1/2 discard the incoming ARP packets
whose sender IP address is the IP address of the gateway.
Configuring ARP filtering
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet
against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is
discarded.