Configuring Arp-check
Summary: Networking › Switching › Edge › Synapse
Overview of Arp-check
Arp-check is a per-interface traffic filter that permits ARP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings: Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table; Static IP source entries that you configure. Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses the IP address of a valid host to gain unauthorized network access.
Note
- Only support L2 port for port security, such as physical port and L2 AP port.
- Do not support AP member port configuration port security function.
Configuring
- Enabling Arp-check on the Interface
SWITCH(config-if)#arp-checkSWITCH(config-if)#no arp-checkEnables Arp-check on the interface.
Examples
Example 1:This is an example of Arp-check typical application. Arp-check is enabled on the interface gigabitEthernet0/1, and we enter 3 static binding entrys on the interface. When the interface gigabitEthernet0/1 receives a ARP packet, If the IP address and the MAC address of the packet differs from the list of static entrys, the packet will be dropped.
SWITCH(config)#interface gigabitEthernet0/1SWITCH(config-if)#ip verify sourceSWITCH(config-if)#arp-checkSWITCH(config)#ip source binding 0001.0001.0001 vlan 1 1.1.1.10 interface gigabitEthernet0/1SWITCH(config)#ip source binding 0001.0001.0002 vlan 1 1.1.1.11 interface gigabitEthernet0/1SWITCH(config)#ip source binding 0001.0001.0003 vlan 1 1.1.1.12 interface gigabitEthernet0/1