3Com 4210 9-Port - Arp Attack Defense Configuration Example II

To Next Page

To Previous Page

# Configure ARP packet filtering based on the gateway’s IP address on Ethernet 1/0/2.

[Switch] interface Ethernet 1/0/2

[Switch-Ethernet1/0/2] arp filter source 192.168.100.1

[Switch-Ethernet1/0/2] quit

# Configure ARP packet filtering based on the gateway’s IP address on Ethernet 1/0/3.

[Switch] interface Ethernet 1/0/3

[Switch-Ethernet1/0/3] arp filter source 192.168.100.1

[Switch-Ethernet1/0/3] quit

ARP Attack Defense Configuration Example II

Network Requirements

Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B). To

prevent ARP attacks such as ARP flooding:

z Enable ARP packet source MAC address consistency check on Switch A to block ARP packets

with the sender MAC address different from the source MAC address in the Ethernet header.

z Limit the number of dynamic ARP entries learned on VLAN-interface 1.

Network Diagram

Figure 1-3 Network diagram for ARP attack defense II

Switch A (Gateway)

Switch B

Host B

Host A

Vlan-int

192.168.1.1/24

Configuration Procedures

# Enter system view.

<SwitchA> system-view

# Enable ARP source MAC address consistency check.

[SwitchA] arp anti-attack valid-check enable

# Enter VLAN-interface 1 view.

[SwitchA] interface vlan-interface 1

# Configure an IP address for VLAN-interface 1.

[SwitchA-Vlan-interface1] ip address 192.168.1.1/24

Related product manuals