306
Configuring source MAC address based ARP
attack detection
Introduction
This feature allows the switch to check the source MAC address of ARP packets delivered to the CPU. If
the number of ARP packets from a MAC address exceeds the specified threshold within five seconds, the
switch considers this an attack and adds the MAC address to the attack detection table. Before the attack
detection entry is aged out, the switch generates a log message upon receiving an ARP packet sourced
from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode),
or only generates a log message upon receiving an ARP packet sourced from that MAC address (in
monitor mode).
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from
being discarded, you can specify the MAC address of the gateway or server as a protected MAC
address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.
Configuration procedure
Follow these steps to configure source MAC address based ARP attack detection:
To do… Use the command…
Remarks
Enter system view system-view —
Enable source MAC address
based ARP attack detection and
specify the detection mode
arp anti-attack source-mac { filter |
monitor }
Required
Disabled by default.
Configure the threshold
arp anti-attack source-mac
threshold threshold-value
Optional
50 by default.
Configure the age timer for ARP
attack detection entries
arp anti-attack source-mac
aging-time time
Optional
300 seconds by default.
Configure protected MAC
addresses
arp anti-attack source-mac
exclude-mac mac-address&<1-10>
Optional
No protected MAC address is
configured by default.
NOTE:
fter an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can
be processed normally.
To Next Page
Loading...
