2-7To do… Use the command… RemarksSpecify the current port as atrusted port dhcp-snooping trustOptionalAfter DHCP snooping isenabled, you need to configurethe upstream port connected tothe DHCP server as a trustedport.Configure the port as an ARPtrusted port arp detection trustOptionalBy default, a port is an ARPuntrusted port.Generally, the upstream port ofa switch is configured as atrusted port.Quit to system view quit —Enter VLAN view vlan vlan-id —Enable the ARP attackdetection function arp detection enableRequiredBy default, ARP attackdetection is disabled on allports.Enable ARP restrictedforwardingarp restricted-forwardingenableOptionalDisabled by default.z When most clients acquire IP addresses through DHCP and some clients use static IP addresses,you need to enable DHCP snooping and configure static IP binding entries on the switch. Thesefunctions can cooperate with ARP attack detection to check the validity of packets.z You need to use ARP attack detection based on authenticated 802.1x clients together withfunctions of both MAC-based 802.1x authentication and ARP attack detection.z Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S5500-EI seriesEthernet switch is the same as the default VLAN ID of the port. If the VLAN tag of an ARP packet isdifferent from the default VLAN ID of the receiving port, the ARP packet cannot pass the ARPattack detection based on the IP-to-MAC bindings.z Before enabling ARP restricted forwarding, make sure you have enabled ARP attack detection andconfigured ARP trusted ports.z You are not recommended to configure ARP attack detection on the ports of an aggregation group.Configuring the ARP Packet Rate Limit FunctionFollow these steps to configure the ARP packet rate limit function:To do… Use the command… RemarksEnter system view system-view —Enter Ethernet port view interface interface-typeinterface-number —
