2-4Figure 2-2 Gateway spoofing attackTo prevent gateway spoofing attacks, an S5600 series Ethernet switch can work as an access device(usually with the upstream port connected to the gateway and the downstream ports connected to hosts)and filter ARP packets based on the gateway’s address.z To filter APR attack packets arriving on a downstream port, you can bind the gateway’s IP addressto the downstream port (directly connected to hosts) of the switch. After that, the port will discardARP packets with the gateway’s IP address as the sender IP address, and permit other ARPpackets to pass.z To filter ARP attack packets arriving on the upstream port, you can bind the IP and MAC addressesof the gateway to the cascaded port or upstream port of the access switch. After that, the port willdiscard ARP packets with the sender IP address as the gateway’s IP address but with the senderMAC address different from the gateway’s MAC address, and permit other ARP packets to pass.An ARP trusted port has higher priority comparing with support for ARP packet filtering based ongateway's address. That is, if you configure a cascaded port or an upstream port as an ARP trusted port,the gateway's IP and MAC addresses configured on the port are ineffective.Configuring ARP Attack DefenseARP Attack Defense Configuration Task ListComplete the following tasks to configure ARP attack defense:Task RemarksConfiguring the Maximum Number of Dynamic ARPEntries that a VLAN Interface Can LearnOptionalThe switch serves as a gateway.Configuring ARP Source MAC Address ConsistencyCheckOptionalThe switch serves as a gateway or an access device.