2-7To do… Use the command… RemarksEnable the ARP attack detectionfunction arp detection enableRequiredBy default, ARP attack detection isdisabled on all ports.Enable ARP restricted forwarding arp restricted-forwarding enable OptionalDisabled by default.z When most clients acquire IP addresses through DHCP and some clients use static IP addresses,you need to enable DHCP snooping and configure static IP binding entries on the switch. Thesefunctions can cooperate with ARP attack detection to check the validity of packets.z You need to use ARP attack detection based on authenticated 802.1x clients together withfunctions of both MAC-based 802.1x authentication and ARP attack detection.z Currently, the VLAN ID of an IP-to-MAC binding configured on a port of an S5600 series Ethernetswitch is the same as the default VLAN ID of the port. If the VLAN tag of an ARP packet is differentfrom the default VLAN ID of the receiving port, the ARP packet cannot pass the ARP attackdetection based on the IP-to-MAC bindings.z Before enabling ARP restricted forwarding, make sure you have enabled ARP attack detection andconfigured ARP trusted ports.z You are not recommended to configure ARP attack detection on the ports of a fabric or anaggregation group.Configuring the ARP Packet Rate Limit FunctionFollow these steps to configure the ARP packet rate limit function:To do… Use the command… RemarksEnter system view system-view —Enter Ethernet port view interface interface-typeinterface-number —Enable the ARP packet rate limitfunction arp rate-limit enableRequiredBy default, the ARP packet ratelimit function is disabled on a port.Configure the maximum ARPpacket rate allowed on the port arp rate-limit rateOptionalBy default, the maximum ARPpacket rate allowed on a port is 15pps.Quit to system view quit —Enable the port state auto-recoveryfunctionarp protective-down recoverenableOptionalDisabled by default.