Security Entries/Oui Mac Addresses - HP 12500 Series Configuration Manual
Routing
Hide thumbs
Also See for 12500 Series:
- Configuration manual (402 pages) ,
- Network management and monitoring command reference (320 pages) ,
- Command reference manual (157 pages)
Table of Contents
Advertisement
Enabling ARP detection based on static IP source guard
binding entries/DHCP snooping entries/802.1x security
entries/OUI MAC addresses
With this feature enabled, the switch compares the sender IP and MAC addresses of an ARP packet
received from the VLAN against the static IP source guard binding entries, DHCP snooping entries,
802.1X security entries, or OUI MAC addresses to prevent spoofing.
After you enable this feature for a VLAN,
Upon receiving an ARP packet from an ARP untrusted port, the switch compares the sender IP and
1.
MAC addresses of the ARP packet against the static IP source guard binding entries. If a match is
found, the ARP packet is considered valid and is forwarded. If an entry with a matching IP address
but an unmatched MAC address is found, the ARP packet is considered invalid and is discarded.
If no entry with a matching IP address is found, the switch compares the ARP packet's sender IP and
MAC addresses against the DHCP snooping entries, 802.1X security entries, and OUI MAC
addresses.
If a match is found in any of the entries, the ARP packet is considered valid and is forwarded. ARP
2.
detection based on OUI MAC addresses refers to that if the sender MAC address of the received
ARP packet is an OUI MAC address and voice VLAN is enabled, the packet is considered valid.
If no match is found, the ARP packet is considered invalid and is discarded.
3.
Upon receiving an ARP packet from an ARP trusted port, the switch does not check the ARP packet.
4.
Configuration guidelines
•
Static IP source guard binding entries are created by using the ip source binding command. For
more information, see
Dynamic DHCP snooping entries are automatically generated through the DHCP snooping function.
•
For more information, see Layer 3—IP Services Configuration Guide.
802.1X security entries are generated in this case. After a client passes 802.1X authentication and
•
uploads its IP address to an ARP detection enabled device, the device automatically generates an
802.1X security entry. Therefore, the 802.1X client must be able to upload its IP address to the device.
For more information, see
For more information about voice VLANs and QUI MAC addresses, see Layer 2—LAN Switching
•
Configuration Guide.
Configuration procedure
To enable ARP detection for a VLAN and specify a trusted port:
Step
1.
Enter system view.
2.
Enter VLAN view.
3.
Enable ARP detection for the VLAN.
4.
Return to system view.
"Configuring IP source
"Configuring
802.1X."
Command
system-view
vlan vlan-id
arp detection enable
quit
274
guard."
Remarks
N/A
N/A
Disabled by default. ARP detection
based on static IP source guard binding
entries/DHCP snooping
entries/802.1X security entries/OUI
MAC addresses is disabled by default.
N/A
Advertisement
Table of Contents
Troubleshooting
