224Configuration exampleNetwork requirementsAs shown in Figure 71, Host B launches gateway spoofing attacks to Switch B. As a result, traffic thatSwitch B intends to send to Switch A is sent to Host B.Configure Switch B to block such attacks.Figure 71 Network diagramConfiguration procedure# Configure ARP gateway protection on Switch B. system-view[SwitchB] interface ten-gigabitethernet 1/0/1[SwitchB-Ten-GigabitEthernet1/0/1] arp filter source 10.1.1.1[SwitchB-Ten-GigabitEthernet1/0/1] quit[SwitchB] interface ten-gigabitethernet 1/0/2[SwitchB-Ten-GigabitEthernet1/0/2] arp filter source 10.1.1.1After the configuration is complete, Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 discardthe incoming ARP packets whose sender IP address is the IP address of the gateway.Configuring ARP filteringThe ARP filtering feature can prevent gateway spoofing and user spoofing attacks.An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packetagainst permitted entries. If a match is found, the packet is handled normally. If not, the packet isdiscarded.Configuration guidelinesFollow these guidelines when you configure ARP filtering:• You can configure a maximum of eight permitted entries on an interface.