Operation Manual – ARPH3C S3100 Series Ethernet Switches Chapter 1 ARP Configuration1-10Note:z You need to enable DHCP snooping and configure DHCP snooping trusted ports onthe switch before configuring the ARP attack detection function. For moreinformation about DHCP snooping, refer to the DHCP snooping section in the partdiscussing DHCP in this manual.z Generally, the uplink port of a switch is configured as a trusted port.z Before enabling ARP restricted forwarding, make sure you enable ARP attackdetection and configure ARP trusted ports.z Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S3100-EIseries Ethernet switch is the same as the default VLAN ID of the port. If the VLANtag of an ARP packet is different from the default VLAN ID of the receiving port, theARP packet cannot pass the ARP attack detection based on the IP-to-MACbindings.z When you use the ARP attack detection in cooperation with VLAN mapping, youneed to enable ARP attack detection in both the original VLAN and the mappedVLAN. For more information about VLAN mapping, refer to VLAN-VPN Operation inthis manual.z You are not recommended to configure ARP attack detection on the ports of anaggregation group.1.2.4 Configuring the ARP Packet Rate Limit FunctionTable 1-7 Configure the ARP packet rate limit functionOperation Command RemarksEnter system view system-view —Enter Ethernet port view interface interface-typeinterface-number —Enable the ARP packetrate limit function arp rate-limit enableRequiredBy default, the ARPpacket rate limit functionis disabled on a port.Configure the maximumARP packet rate allowedon the portarp rate-limit rateOptionalBy default, the maximumARP packet rate allowedon a port is 15 pps.Quit to system view quit —Enable the port stateauto-recovery functionarp protective-downrecover enableOptionalBy default, the port stateauto-recovery function isdisabled.