Operation Manual – ARP
H3C S3100 Series Ethernet Switches Chapter 1 ARP Configuration
1-13
1.5.2 ARP Attack Detection and Packet Rate Limit Configuration Example
I. Network requirements
As shown in Figure 1-4, Ethernet1/0/1 of Switch A (S3100-EI) connects to DHCP
Server; Ethernet1/0/2 connects to Client A, Ethernet1/0/3 connects to Client B.
Ethernet1/0/1, Ethernet1/0/2 and Ethernet1/0/3 belong to VLAN 1.
z Enable DHCP snooping on Switch A and specify Ethernet1/0/1 as the DHCP
snooping trusted port.
z Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks,
and specify Ethernet1/0/1 as the ARP trusted port.
z Enable the ARP packet rate limit function on Ethernet1/0/2 and Ethernet1/0/3 of
Switch A, so as to prevent Client A and Client B from attacking Switch A through
ARP traffic.
z Enable the port state auto recovery function on the ports of Switch A, and set the
recovery interval to 200 seconds.
II. Network diagram
Figure 1-4 ARP attack detection and packet rate limit configuration
III. Configuration procedure
# Enable DHCP snooping on Switch A.
<SwitchA> system-view
[SwitchA] dhcp-snooping
# Specify Ethernet1/0/1 as the DHCP snooping trusted port and the ARP trusted port.
[SwitchA] interface Ethernet1/0/1
[SwitchA-Ethernet1/0/1] dhcp-snooping trust
[SwitchA-Ethernet1/0/1] arp detection trust
[SwitchA-Ethernet1/0/1] quit
To Next Page
Loading...
Need help?
General