Configuring Advanced Threat Protection

Dynamic ARP Protection

Configuring Additional Validation Checks on ARP Packets

Dynamic ARP protection can be configured to perform additional validation checks on ARP packets. By default, no additional checks are performed. To configure additional validation checks, enter the arp-protect validate command at the global configuration level.

Syntax: [no] arp-protect validate <[src-mac] [dst-mac] [ip]>

src-mac(Optional) Drops any ARP request or response packet in which the source MAC address in the Ethernet header does not match the sender MAC address in the body of the ARP packet.

dst-mac(Optional) Drops any unicast ARP response packet

 

in which the destination MAC address in the

 

Ethernet header does not mach the target MAC

 

address in the body of the ARP packet.

ip

(Optional) Drops any ARP packet in which the

 

sender IP address is invalid. Drops any ARP

 

response packet in which the target IP address is

 

invalid. Invalid IP addresses include: 0.0.0.0,

 

255.255.255.255, all IP multicast addresses, and

 

all Class E IP addresses.

You can configure one or more of the validation checks. The following example of the arp-protect validate command shows how to configure the validation checks for source MAC address and destination AMC address:

ProCurve(config)# arp-protect validate src-mac dst-mac

Verifying the Configuration of Dynamic ARP Protection

To display the current configuration of dynamic ARP protection, including the additional validation checks and the trusted ports that are configured, enter the show arp-protectcommand:

8-21