H3C S5510 User ACL configure Guide to avoid ARP spoofing of the gateway
1. Customer requirements:
Device : 1 H3C S5510 , PC Client
Gateway IP: 10.1.1.1/24
The customer want to avoid the host send ARP spoofing of the gateway.
2. Topology:
3. Active Configurations:
(1) Undo the following :ndp,ntdp,habp,cluster,dot1x in global view
[s5510] undo ndp enable
[s5510] undo ntdp enable
[s5510] undo habp enable
[s5510] undo cluster enable
[s5510] undo dot1x
(2) Configure flow-template
[s5510] flow-template anti_arp extend start 28 4 l2 12 2
(3) Configure ACL
[s5510] acl number 5000
[s5510-acl-user-5000] rule 5 deny start 0A010101 ffffffff 28 l2 0806 ffff 12
(4) Configure classifier
[s5510] traffic classifier anti_arp operator and
[s5510-classifier-anti_arp] if-match acl 5000
(5) Configure behavior
[s5510] traffic behavior anti_arp
[s5510-behavior-anti_arp] filter deny
(6) Configure policy
[s5510] qos policy anti_arp
[s5510-qospolicy-anti_arp] classifier anti_arp behavior anti_arp
(7) Apply the flow-template and policy
[s5510] interface GigabitEthernet 1/0/10
[s5510-GigabitEthernet1/0/10] flow-template anti_arp
[s5510-GigabitEthernet1/0/10] qos apply policy anti_arp inbound
4. Some advice:
(1) The user ACL must use with the folw-template.
(2) There is only 2 flow-template can be configured.
(3) The same configure can be used for H3C S3610。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作