332
4. Exclude the MAC address of the server from this detection.
Configuration procedure
# Enable source MAC-based ARP attack detection, and specify the handling method as filter.
<Device> system-view
[Device] arp source-mac filter
# Set the threshold to 30.
[Device] arp source-mac threshold 30
# Set the lifetime for ARP attack entries to 60 seconds.
[Device] arp source-mac aging-time 60
# Exclude MAC address 0012-3f86-e94c from this detection.
[Device] arp source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC consistency
check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet
header is different from the sender MAC address in the message body. This feature allows the gateway
to learn correct ARP entries.
To enable ARP packet source MAC address consistency check:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable ARP packet source MAC address
consistency check.
arp valid-check enable
By default, ARP packet source
MAC address consistency check
is disabled.
Configuring ARP active acknowledgement
Configure this feature on gateways to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
In strict mode, a gateway performs more strict validity checks before creating an ARP entry:
• Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but does
not create an ARP entry.
• Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP
address:
{ If yes, the gateway performs active acknowledgement. When the ARP reply is verified as valid,
the gateway creates an ARP entry.
{ If no, the gateway discards the packet.
To configure ARP active acknowledgement:
To Next Page
Loading...
Need help?
General
