7
# Configure the maximum number of ARP entries that can be learned by VLAN-interface 1 as 500.
[SwitchA-Vlan-interface1] arp max-learning-num 500
[SwitchA-Vlan-interface1] quit
ARP/IP Attack Defense Configuration Example III
Network Requirements
z Host A is assigned with an IP address statically and installed with an 802.1x client.
z A CAMS authentication, authorization and accounting server serves as the authentication server.
z Enable ARP attack detection and IP filtering based on bindings of authenticated 802.1x clients on
the switch to prevent ARP attacks.
Network Diagram
Figure 1-4 Network diagram for 802.1x based ARP/IP attack defense
Configuration Procedures
# Enter system view.
<Switch> system-view
# Enable 802.1x authentication globally.
[Switch] dot1x
# Enable ARP attack detection for VLAN 1.
[Switch] vlan 1
[Switch-vlan1] arp detection enable
[Switch-vlan1] quit
# Configure Ethernet 1/0/2 and Ethernet 1/0/3 as ARP trusted ports.
[Switch] interface Ethernet1/0/2
[Switch-Ethernet1/0/2] arp detection trust
[Switch-Ethernet1/0/2] quit
[Switch] interface Ethernet1/0/3
[Switch-Ethernet1/0/3] arp detection trust
[Switch-Ethernet1/0/3] quit
# Enable using IP-MAC bindings of authenticated 802.1x clients for ARP attack detection.
[Switch] ip source static import dot1x
To Next Page
Loading...