3-1
3 ARP Attack Defense Configuration
When configuring ARP attack defense, go to these sections for information you are interested in:
z Configuring ARP Source Suppression
z Configuring ARP Defense Against IP Packet Attacks
z Configuring ARP Active Acknowledgement
z Configuring Source MAC Address Based ARP Attack Detection
z Configuring ARP Packet Source MAC Address Consistency Check
z Configuring ARP Packet Rate Limit
z Configuring ARP Detection
Although ARP is easy to implement, it provides no security mechanism and thus is prone to network
attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide
multiple features to detect and prevent such attacks. This chapter mainly introduces these features.
Configuring ARP Source Suppression
Introduction to ARP Source Suppression
If a device receives large numbers of IP packets from a host to unreachable destinations,
z The device sends large numbers of ARP requests to the destination subnets, which increases the
load of the destination subnets.
z The device continuously resolves destination IP addresses, which increases the load of the CPU.
To protect the device from such attacks, you can enable the ARP source suppression function. With the
function enabled, whenever the number of packets with unresolvable destination IP addresses from a
host within five seconds exceeds a specified threshold, the device suppresses the sending host from
triggering any ARP requests within the following five seconds.
Configuring ARP Source Suppression
Follow these steps to configure ARP source suppression:
To do… Use the command… Remarks
Enter system view
system-view
—
Enable ARP source suppression
arp source-suppression enable
Required
Disabled by default.
Set the maximum number of packets
with the same source IP address but
unresolvable destination IP
addresses that the device can
receive in five consecutive seconds
arp source-suppression limit
limit-value
Optional
10 by default.
To Next Page
Loading...
Need help?
General