6
[Switch] interface Ethernet 1/0/2
[Switch-Ethernet1/0/2] arp filter source 192.168.100.1
[Switch-Ethernet1/0/2] quit
# Configure ARP packet filtering based on the gateway’s IP address on Ethernet 1/0/3.
[Switch] interface Ethernet 1/0/3
[Switch-Ethernet1/0/3] arp filter source 192.168.100.1
[Switch-Ethernet1/0/3] quit
ARP Attack Defense Configuration Example II
Network Requirements
Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B). To
prevent ARP attacks such as ARP flooding:
z Enable ARP packet source MAC address consistency check on Switch A to block ARP packets
with the sender MAC address different from the source MAC address in the Ethernet header.
z Limit the number of dynamic ARP entries learned on VLAN-interface 1.
Network Diagram
Figure 1-3 Network diagram for ARP attack defense II
Switch A (Gateway)
Switch B
Host B
Host A
Vlan-int
192.168.1.1/24
Configuration Procedures
# Enter system view.
<SwitchA> system-view
# Enable ARP source MAC address consistency check.
[SwitchA] arp anti-attack valid-check enable
# Enter VLAN-interface 1 view.
[SwitchA] interface vlan-interface 1
# Configure an IP address for VLAN-interface 1.
[SwitchA-Vlan-interface1] ip address 192.168.1.1/24
# Configure the maximum number of ARP entries that can be learned by VLAN-interface 1 as 500.
To Next Page
Loading...
