24To do… Use the command… Remarks3. Enable ARP detection forthe VLAN arp detection enableRequiredDisabled by default. That is, ARP detectionbased on DHCP snooping entries/802.1Xsecurity entries/static IP-to-MAC bindings isnot enabled by default.4. Return to system view quit —5. Enter Ethernet interfaceviewinterface interface-typeinterface-number —6. Configure the port as atrusted port arp detection trust OptionalThe port is an untrusted port by default.7. Return to system view quit —8. Specify an ARP attackdetection modearp detection mode {dhcp-snooping | dot1x| static-bind }RequiredNo ARP attack detection mode is specified bydefault; that is, all packets are considered tobe invalid by default.9. Configure a static IP-to-MAC binding for ARPdetectionarp detection static-bind ip-address mac-addressOptionalNot configured by default.If the ARP attack detection mode is static-bind, you need to configure static IP-to-MACbindings for ARP detection.• If all the detection types are specified, the system uses IP-to-MAC bindings first, then DHCP snooping entries, andthen 802.1X security entries. If an ARP packet fails to pass ARP detection based on static IP-to-MAC bindings, itis discarded. If the packet passes this detection, it will be checked against DHCP snooping entries. If a match isfound, the packet is considered to be valid and will not be checked against 802.1X security entries; otherwise,the packet is checked against 802.1X security entries. If a match is found, the packet is considered to be valid;otherwise, the packet is discarded.• Before enabling ARP detection based on DHCP snooping entries, make sure that DHCP snooping is enabled.• Before enabling ARP detection based on 802.1X security entries, make sure that 802.1X is enabled and the802.1X clients are configured to upload IP addresses.Configuring ARP detection based on specified objectsYou can also specify objects in ARP packets to be detected. The objects involve:• src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MACaddress in the Ethernet header. If they are identical, the packet is forwarded; otherwise, the packetis discarded.• dst-mac: Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet isconsidered invalid and discarded.