335
Configuring source MAC address based ARP
attack detection
Introduction
With this feature enabled, the device checks the source MAC address of ARP packets delivered to the
CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the
specified threshold. The device adds the MAC address to the attack detection table.
Before the attack detection entry is aged out, the device uses either of the following detection modes to
respond to the detected attack:
• Monitor mode: Generates a log message.
• Filter mode: Generates a log message and filters out subsequent ARP packets from the attacking
MAC address.
You can also configure protected MAC addresses to exclude a gateway or server from detection. A
protected MAC address is excluded from ARP attack detection even if it is an attacker.
Configuration procedure
Follow these steps to configure source MAC address based ARP attack detection:
To do… Use the command…
Remarks
Enter system view system-view —
Enable source MAC address
based ARP attack detection and
specify the detection mode
arp anti-attack source-mac { filter |
monitor }
Required
Disabled by default.
Configure the threshold
arp anti-attack source-mac
threshold threshold-value
Optional
50 by default.
Configure the age timer for ARP
attack detection entries
arp anti-attack source-mac
aging-time time
Optional
300 seconds by default.
Configure protected MAC
addresses
arp anti-attack source-mac
exclude-mac mac-address&<1-10>
Optional
Not configured by default.
NOTE:
fter an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can
be processed normally.
To Next Page
Loading...
Need help?
General