229
[Device] arp anti-attack source-mac aging-time 60
# Configure 0012-3f86-e94c as a protected MAC address.
[Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC address
consistency check
The ARP packet source MAC address consistency check feature enables a gateway device to filter out
ARP packets that have a different source MAC address in the Ethernet header from the sender MAC
address in the message, so that the gateway device can learn correct ARP entries.
Configuration procedure
To enable ARP packet source MAC address consistency check:
To do…
Use the command…
Remarks
1.
Enter system view.
system-view
—
2.
Enable ARP packet source MAC
address consistency check.
arp anti-attack valid-check enable
Required
Disabled by default
Configuring ARP active acknowledgement
The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP
packets.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid
generating an incorrect ARP entry. For more information about its working mechanism, see
ARP Attack
Protection Technology White Paper
.
Configuration procedure
To configure ARP active acknowledgement:
To do…
Use the command…
Remarks
1.
Enter system view.
system-view
—
2.
Enable the ARP active
acknowledgement function.
arp anti-attack active-ack enable
Required
Disabled by default
Configuring ARP detection
The ARP detection feature is mainly configured on an access device to allow only the ARP packets of
authorized clients to be forwarded and to prevent user spoofing and gateway spoofing.
ARP detection includes ARP detection based on static IP source guard binding entries/DHCP snooping
entries/802.1X security entries, ARP detection based on specified objects, and ARP restricted
forwarding.
Содержание A5830 Series
Страница 207: ...199 Figure 62 SFTP client interface ...