03-ARP Configuration
Chapters Download (223.01 KB)
ARP Address Resolution Process
Configuring a Static ARP Entry
Configuring the Maximum Number of ARP Entries for an Interface
Setting the Aging Time for Dynamic ARP Entries
Introduction to Gratuitous ARP
Displaying and Maintaining ARP
2 ARP Attack Defense Configuration
ARP Attack Defense Configuration Task List
Configuring ARP Source Suppression
Introduction to ARP Source Suppression
Configuring ARP Source Suppression
Displaying and Maintaining ARP Source Suppression
Configuring ARP Active Acknowledgement
Introduction to ARP Active Acknowledgement
Configuring ARP Active Acknowledgement
Configuring Source MAC Address Based ARP Attack Detection
Introduction to Source MAC Address Based ARP Attack Detection
Configuring Source MAC Address Based ARP Attack Detection
Displaying and Maintaining Source MAC Address Based ARP Attack Detection
Configuring ARP Packet Source MAC Address Consistency Check
Introduction to ARP Packet Source MAC Address Consistency Check
Configuring ARP Packet Source MAC Address Consistency Check
Configuring ARP Packet Rate Limit
Introduction to ARP Packet Rate Limit
Configuring the ARP Packet Rate Limit Function
Enabling ARP Detection Based on DHCP Snooping Entries/Static IP-to-MAC Bindings
Configuring ARP Detection Based on Specified Objects
Displaying and Maintaining ARP Detection
ARP Detection Configuration Example
When configuring ARP, go to these sections for information you are interested in:
l Displaying and Maintaining ARP
The Address Resolution Protocol (ARP) is used to resolve an IP address into an Ethernet MAC address (or physical address).
In a LAN, when a device is to send data to another device, the sending device must know the network layer address (that is, the IP address) of the destination device. Because IP datagrams must be encapsulated within Ethernet frames before they can be transmitted over physical networks, the sending device also needs to know the physical address of the destination device. Therefore, a mapping between the IP address and the physical address is needed. ARP is the protocol to implement the mapping function.
ARP messages are classified into ARP requests and ARP replies. Figure 1-1 shows the format of the ARP request/reply.
The following explains the fields in Figure 1-1.
l Hardware type: This field specifies the hardware address type. The value “1” represents Ethernet.
l Protocol type: This field specifies the type of the protocol address to be mapped. The hexadecimal value “0x0800” represents IP.
l Hardware address length and protocol address length: They respectively specify the length of a hardware address and a protocol address, in bytes. For an Ethernet address, the value of the hardware address length field is "6”. For an IP(v4) address, the value of the protocol address length field is “4”.
l OP: Operation code. This field specifies the type of the ARP message. The value “1” represents an ARP request and “2” represents an ARP reply.
l Sender hardware address: This field specifies the hardware address of the device sending the message.
l Sender protocol address: This field specifies the protocol address of the device sending the message.
l Target hardware address: This field specifies the hardware address of the device the message is being sent to.
l Target protocol address: This field specifies the protocol address of the device the message is being sent to.
Suppose that Host A and Host B are on the same subnet and Host A sends a packet to Host B, as shown in Figure 1-2. The resolution process is as follows:
1) Host A looks into its ARP table to see whether there is an ARP entry for Host B. If yes, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request, in which the sender IP address and the sender MAC address are the IP address and the MAC address of Host A respectively, and the target IP address and the target MAC address are the IP address of Host B and an all-zero MAC address respectively. Because the ARP request is a broadcast, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will respond to the request.
3) Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address in its ARP table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.
4) After receiving the ARP reply, Host A adds the MAC address of Host B to its ARP table. Meanwhile, Host A encapsulates the IP packet and sends it out.
Figure 1-2 ARP address resolution process
If Host A is not on the same subnet with Host B, Host A first sends an ARP request to the gateway. The target IP address in the ARP request is the IP address of the gateway. After obtaining the MAC address of the gateway from an ARP reply, Host A sends the packet to the gateway. If the gateway maintains the ARP entry of Host B, it forwards the packet to Host B directly; if not, it broadcasts an ARP request, in which the target IP address is the IP address of Host B. After obtaining the MAC address of Host B, the gateway sends the packet to Host B.
After obtaining the MAC address for the destination host, the device puts the IP-to-MAC mapping into its own ARP table. This mapping is used for forwarding packets with the same destination in future.
An ARP table contains ARP entries, which fall into one of two categories: dynamic or static.
A dynamic entry is automatically created and maintained by ARP. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires or the interface goes down, the corresponding dynamic ARP entry will be removed.
A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry.
Using static ARP entries enhances communication security. After a static ARP entry is specified, only a specific MAC address is associated with the specified IP address. Attack packets cannot modify the IP-to-MAC mapping. Thus, communications between devices are protected.
Static ARP entries can be classified into long or short.
l A long static ARP entry can be directly used to forward packets. When configuring a long static ARP entry, you must configure a VLAN and an outbound interface for the entry besides the IP address and the MAC address.
l A short static ARP entry has only an IP address and a MAC address configured and cannot be directly used for forwarding data. If a short static ARP entry matches an IP packet to be forwarded, the device sends an ARP request first. If the sender IP and MAC addresses in the received ARP reply are the same as those in the short static ARP entry, the device adds the interface receiving the ARP reply to the short static ARP entry. Then the entry can be used for forwarding IP packets.
l Usually ARP dynamically resolves IP addresses to MAC addresses, without manual intervention.
l To allow communication with a device using a fixed IP-to-MAC mapping, configure a short static ARP entry for it. To allow communication with a device through a specific interface in a specific VLAN and using a fixed IP-to-MAC mapping, configure a long static ARP entry for it.
A static ARP entry is effective when the device works normally. However, when a VLAN or VLAN interface to which a static ARP entry corresponds is deleted, the entry, if long, will be deleted, and if short and resolved, will become unresolved.
Follow these steps to configure a static ARP entry:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure a long static ARP entry |
arp static ip-address mac-address vlan-id interface-type interface-number |
Required No long static ARP entry is configured by default. |
|
Configure a short static ARP entry |
arp static ip-address mac-address |
Required No short static ARP entry is configured by default. |
l The vlan-id argument must be the ID of an existing VLAN which corresponds to the ARP entries. In addition, the Ethernet interface following the argument must belong to that VLAN. A VLAN interface must be created for the VLAN.
l The IP address of the VLAN interface corresponding to the vlan-id argument must belong to the same network segment as the IP address specified by the ip-address argument.
Follow these steps to set the maximum number of dynamic ARP entries that an interface can learn:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet interface view |
interface interface-type interface-number |
— |
|
Set the maximum number of dynamic ARP entries that an interface can learn |
arp max-learning-num number |
Optional 1024 by default. |
To keep pace with the network changes, the ARP table is refreshed. Each dynamic ARP entry in the ARP table has a limited lifetime rather than is always valid. Dynamic ARP entries that are not refreshed before expiration are deleted from the ARP table. The lifetime is called the aging time. The aging time is reset each time the dynamic ARP entry is refreshed within the lifetime. You can adjust the aging time for dynamic ARP entries according to the actual network condition.
Follow these steps to set the aging time for dynamic ARP entries:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Set the aging time for dynamic ARP entries |
arp timer aging aging-time |
Optional 20 minutes by default. |
The ARP entry check function disables the device from learning multicast MAC addresses. With the ARP entry check enabled, the device cannot learn any ARP entry with a multicast MAC address, and configuring such a static ARP entry is not allowed; otherwise, the system displays error messages.
After the ARP entry check is disabled, the device can learn the ARP entry with a multicast MAC address, and you can also configure such a static ARP entry on the device.
Follow these steps to enable the ARP entry check:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the ARP entry check |
arp check enable |
Optional By default, the device is disabled from learning multicast MAC addresses. |
As shown in Figure 1-3, hosts are connected to Switch, which is connected to Router through interface GigabitEthernet 1/0/1 belonging to VLAN 10. The IP address of Router is 192.168.1.1/24. The MAC address of Router is 00e0-fc01-0000.
To enhance communication security for Router and Switch, static ARP entries are configured on Switch.
Figure 1-3 Network diagram for configuring static ARP entries
Configure Switch
# Create VLAN 10.
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] quit
# Add interface GigabitEthernet1/0/1 to VLAN 10.
[Switch] interface GigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port access vlan 10
[Switch-GigabitEthernet1/0/1] quit
# Create interface VLAN-interace 10 and configure its IP address.
[Switch] interface vlan-interface 10
[Switch-vlan-interface10] ip address 192.168.1.2 8
[Switch-vlan-interface10] quit
# Configure a static ARP entry with IP address 192.168.1.1 and MAC address 00e0-fc01-0000. The outgoing interface corresponding to the static ARP entry is GigabitEthernet1/0/1 belonging to VLAN 10.
[Switch] arp static 192.168.1.1 00e0-fc01-0000 10 GigabitEthernet1/0/1
# View information about static ARP entries.
[Switch] display arp static
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
192.168.1.1 00e0-fc01-0000 10 GE1/0/1 N/A S
A gratuitous ARP packet is a special ARP packet, in which the sender IP address and the target IP address are both the IP address of the device issuing the packet, the sender MAC address is the MAC address of the device, and the target MAC address is the broadcast address ff:ff:ff:ff:ff:ff.
A device implements the following functions by sending gratuitous ARP packets:
l Determining whether its IP address is already used by another device.
l Informing other devices about the change in its MAC address so that they can update their ARP entries.
A device receiving a gratuitous ARP packet adds the information carried in the packet to its own dynamic ARP table if it finds no corresponding ARP entry for the ARP packet in the cache.
Follow these steps to configure gratuitous ARP:
|
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Enable the device to send gratuitous ARP packets when receiving ARP requests from another network segment |
gratuitous-arp-sending enable |
Required By default, a device cannot send gratuitous ARP packets when receiving ARP requests from another network segment. |
|
Enable the gratuitous ARP packet learning function |
gratuitous-arp-learning enable |
Optional Enabled by default. |
|
To do… |
Use the command… |
Remarks |
|
Display ARP entries in the ARP table |
display arp [ [ all | dynamic | static ] | vlan vlan-id | interface interface-type interface-number ] [ [ | { begin | exclude | include } regular-expression ] | count ] |
Available in any view |
|
Display the ARP entry for a specified IP address |
display arp ip-address [ | { begin | exclude | include } regular-expression ] |
Available in any view |
|
Display the aging time for dynamic ARP entries |
display arp timer aging |
Available in any view |
|
Clear ARP entries from the ARP table |
reset arp { all | dynamic | static | interface interface-type interface-number } |
Available in user view |
Clearing ARP entries from the ARP table will cancel IP-to-MAC mappings. This may cause communication failures.
When configuring ARP attack defense, go to these sections for information you are interested in:
l Configuring ARP Source Suppression
l Configuring ARP Active Acknowledgement
l Configuring Source MAC Address Based ARP Attack Detection
l Configuring ARP Packet Source MAC Address Consistency Check
l Configuring ARP Packet Rate Limit
Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. An attacker can send
l ARP packets by acting as a trusted user or gateway. As a result, the receiving device obtains incorrect ARP entries, and thus a communication failure occurs.
l A large number of IP packets with unreachable destinations. As a result, the receiving device continuously resolves destination IP addresses and thus its CPU is overloaded.
l A large number of ARP packets to bring a great impact to the CPU.
For details about ARP attack features and types, refer to ARP Attack Protection Technology White Paper.
Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features.
Complete the following tasks to configure ARP attack defense:
|
Task |
Remarks |
|
Optional Configure this function on gateways (recommended). |
|
|
Optional Configure this function on gateways (recommended). |
|
|
Optional Configure this function on gateways (recommended). |
|
|
Optional Configure this function on gateways (recommended). |
|
|
Optional Configure this function on gateways (recommended). |
|
|
Optional Configure this function on access devices (recommended). |
If a device receives large numbers of IP packets from a host to unreachable destinations,
l The device sends large numbers of ARP requests to the destination subnets, which increases the load of the destination subnets.
l The device continuously resolves destination IP addresses, which increases the load of the CPU.
To protect the device from such attacks, you can enable the ARP source suppression function. With the function enabled, whenever the number of ARP requests triggered by the packets with unresolvable destination IP addresses from a host within five seconds exceeds a specified threshold, the device suppresses the sending host from triggering any ARP requests within the following five seconds.
Follow these steps to configure ARP source suppression:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable ARP source suppression |
arp source-suppression enable |
Required Disabled by default. |
|
Set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five consecutive seconds |
arp source-suppression limit limit-value |
Optional 10 by default. |
|
To do… |
Use the command… |
Remarks |
|
Display the ARP source suppression configuration information |
display arp source-suppression |
Available in any view |
Typically, the ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP packets.
ARP active acknowledgement works before the gateway modifies an ARP entry to prevent an incorrect ARP entry being generated. For details about the working mechanism, refer to ARP Attack Protection Technology White Paper.
Follow these steps to configure ARP active acknowledgement:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the ARP active acknowledgement function |
arp anti-attack active-ack enable |
Required Disabled by default. |
This feature allows the device to check the source MAC address of ARP packets. If the number of ARP packets sent from a MAC address within five seconds exceeds the specified value, the device considers this an attack and adds the MAC address to the attack detection table. Before the attack detection entry is aged out, the device generates an alarm and filters out ARP packets sourced from that MAC address (in filter mode), or only generates an alarm (in monitor mode).
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from being discarded, you can specify the MAC address of the gateway or server as a protected MAC address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.
Only the ARP packets delivered to the CPU are detected.
Follow these steps to configure source MAC address based ARP attack detection:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable source MAC address based ARP attack detection and specify the detection mode |
arp anti-attack source-mac { filter | monitor } |
Required Disabled by default. |
|
Configure the threshold |
arp anti-attack source-mac threshold threshold-value |
Optional 50 by default. |
|
Configure the aging timer for source MAC address based ARP attack detection entries |
arp anti-attack source-mac aging-time time |
Optional Five minutes by default. |
|
Configure protected MAC addresses |
arp anti-attack source-mac exclude-mac mac-address&<1-10> |
Optional Not configured by default. |
|
To do… |
Use the command… |
Remarks |
|
Display attacking entries detected |
display arp anti-attack source-mac [ interface interface-type interface-number ] |
Available in any view |
A protected MAC address is no longer excluded from detection after the specified aging time expires.
This feature enables a gateway device to filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message, so that the gateway device can learn correct ARP entries.
Follow these steps to enable ARP packet source MAC address consistency check:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable ARP packet source MAC address consistency check |
arp anti-attack valid-check enable |
Required Disabled by default. |
This feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the CPU of the device may become overloaded because all the ARP packets are redirected to the CPU for checking. As a result, the device cannot deliver other functions properly or even crashes. To prevent it, you need to enable ARP packet rate limit.
You can enable this feature after ARP detection is configured, or to prevent ARP flood attacks.
Follow these steps to configure ARP packet rate limit in Ethernet interface view:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter Ethernet interface view |
interface interface-type interface-number |
— |
|
Configure ARP packet rate limit |
arp rate-limit { disable | rate pps drop } |
Required Disabled by default. |
For information about DHCP snooping, refer to DHCP Configuration in the IP Services Volume.
The ARP detection feature allows only the ARP packets of authorized clients to be forwarded, hence preventing man-in-the-middle attacks.
According to the ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the sender to its ARP mapping table even if the MAC address is not the requested one. This design reduces the ARP traffic on the network, but also makes ARP spoofing possible.
As shown in Figure 2-1, Host A communicates with Host C through a switch. After intercepting the traffic between Host A and Host C, a hacker (Host B) forwards forged ARP replies to Host A and Host C respectively. Upon receiving the ARP replies, the two hosts update the MAC address corresponding to the peer IP address in their ARP tables with the MAC address of Host B (MAC_B). After that, Host B establishes independent connections with Host A and Host C and relays messages between them, deceiving them into believing that they are talking directly to each other over a private connection, while the entire conversation is actually controlled by Host B. Host B may intercept and modify the communication data. Such an attack is called a man-in-the-middle attack.
Figure 2-1 Man-in-the-middle attack
With ARP detection enabled for a specific VLAN, ARP messages arriving on any interface in the VLAN are redirected to the CPU to have their MAC and IP addresses checked. ARP messages that pass the check are forwarded, and other ARP messages are discarded.
With this feature enabled, the device compares the source IP and MAC addresses of an ARP packet received from the VLAN against the DHCP snooping entries, or static IP-to-MAC binding entries. You can specify a detection type or types as needed.
1) After you enable ARP detection based on DHCP snooping entries for a VLAN,
l Upon receiving an ARP packet from an ARP untrusted port, the device compares the ARP packet against the DHCP snooping entries. If a match is found, that is, the parameters (such as IP address, MAC addresses, port index, and VLAN ID) are consistent, the ARP packet passes the check; if not, the ARP packet cannot pass the check.
l Upon receiving an ARP packet from an ARP trusted port, the device does not check the ARP packet.
l If ARP detection is not enabled for the VLAN, the ARP packet is not checked even if it is received from an ARP untrusted port.
ARP detection based on DHCP snooping entries involves both dynamic DHCP snooping entries and static IP Source Guard binding entries. Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function. For details, refer to DHCP Configuration in the IP Service Volume. Static IP Source Guard binding entries are created by using the user-bind command. For details, refer to IP Source Guard Configuration in the Security Volume.
2) After you enable ARP detection based on static IP-to-MAC bindings, the device, upon receiving an ARP packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of the ARP packet against the static IP-to-MAC bindings.
l If an entry with a matching IP address but a different MAC address is found, the ARP packet is considered invalid and discarded.
l If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid and can pass the detection.
l If no match is found, the ARP packet is considered valid and can pass the detection.
If all the detection types are specified, the system uses static IP-to-MAC binding entries first, then DHCP snooping entries. To protect gateways, ARP detection based on IP-to-MAC binding entries is required. After passing this type of ARP detection, users that can pass ARP detection based on DHCP snooping entries are considered to be valid. The last two detection types are used to prevent ARP spoofing. You can select detection types according to the networking environment.
l If all access clients acquire IP addresses through DHCP, it is recommended that you enable DHCP snooping and ARP detection based on DHCP snooping entries on your access device.
l If access clients are small in number and use static IP addresses, it is recommended that you configure static IP Source Guard binding entries and enable ARP detection based on DHCP snooping entries on your access device.
Follow these steps to enable ARP detection for a VLAN and specify a trusted port:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter VLAN view |
vlan vlan-id |
— |
|
Enable ARP detection for the VLAN |
arp detection enable |
Required Disabled by default. That is, ARP detection based on DHCP snooping entries/static IP-to-MAC bindings is not enabled by default. |
|
Return to system view |
quit |
— |
|
Enter Ethernet interface view |
interface interface-type interface-number |
— |
|
Configure the port as a trusted port |
arp detection trust |
Optional The port is an untrusted port by default. |
|
Return to system view |
quit |
— |
|
Specify an ARP attack detection mode |
arp detection mode { dhcp-snooping | static-bind } |
Required No ARP attack detection mode is specified by default; that is, all packets are considered to be invalid by default. |
|
Configure a static IP-to-MAC binding for ARP detection |
arp detection static-bind ip-address mac-address |
Optional Not configured by default. If the ARP attack detection mode is static-bind, you need to configure static IP-to-MAC bindings for ARP detection. |
l If all the detection types are specified, the system uses IP-to-MAC bindings first, then DHCP snooping entries. If an ARP packet fails to pass ARP detection based on static IP-to-MAC bindings, it is discarded. If the packet passes this detection, it will be checked against DHCP snooping entries. If a match is found, the packet is considered to be valid. otherwise, the packet is discarded.
l Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP snooping is enabled.
You can also specify objects in ARP packets to be detected. The objects involve:
l src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the packet is discarded.
l dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
l ip: Checks both the source and destination IP addresses in an ARP packet. The all-zero, all-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this object specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests are checked.
Before performing the following configuration, make sure you have configured the arp detection enable command.
Follow these steps to configure ARP detection based on specified objects:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Specify objects for ARP detection |
arp detection validate { dst-mac | ip | src-mac } * |
Required Not specified by default. |
|
To do… |
Use the command… |
Remarks |
|
Display the VLANs enabled with ARP detection |
display arp detection |
Available in any view |
|
Display the ARP detection statistics |
display arp detection statistics [ interface interface-type interface-number ] |
Available in any view |
|
Clear the ARP detection statistics |
reset arp detection statistics [ interface interface-type interface-number ] |
Available in user view |
As shown in Figure 2-2, enable DHCP snooping on Switch A. Enable ARP detection for VLAN 10 to allow only packets from valid clients to pass. Configure Host A and Host B as DHCP clients.
Figure 2-2 Network diagram for ARP detection configuration
1) Add all the ports on Switch A to VLAN 10 (the configuration procedure is omitted).
2) Configure DHCP server (the configuration procedure is omitted).
3) Configure Host A and Host B as DHCP clients (the configuration procedure is omitted).
4) Configure Switch A
# Enable DHCP snooping.
<SwitchA> system-view
[SwitchA] dhcp-snooping
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] dhcp-snooping trust
[SwitchA-GigabitEthernet1/0/3] quit
# Enable ARP detection for VLAN 10.
[SwitchA] vlan 10
[SwitchA-vlan10] arp detection enable
# Configure the upstream port as a trusted port and the downstream ports as untrusted ports (a port is an untrusted port by default).
[SwitchA-vlan10] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] arp detection trust
[SwitchA-GigabitEthernet1/0/3] quit
# Configure a static IP Source Guard binding entry on interface GigabitEthernet 1/0/2.
[SwitchA] interface GigabitEthernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] user-bind ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10
[SwitchA-GigabitEthernet1/0/2] quit
# Configure a static IP-to-MAC binding.
[SwitchA] arp detection static-bind 10.1.1.1 000f-e249-8050
# Enable ARP detection based on both DHCP snooping entries and static IP-to-MAC bindings.
[SwitchA] arp detection mode dhcp-snooping
[SwitchA] arp detection mode static-bind
# Enable the checking of the MAC addresses and IP addresses of ARP packets.
[SwitchA] arp detection validate dst-mac ip src-mac
After the preceding configurations are completed, when ARP packets arrive at interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2, their MAC and IP addresses are checked, and then the packets are checked against the IP-to-MAC binding and finally DHCP snooping entries.
