361
NOTE:
If you enable notification sending and logging for ARP packet rate limit on a Layer 2 a
re
ate interface,
the functions apply to all aggregation member ports.
Configuring source MAC-based ARP attack
detection
This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the
same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP
attack entry. Before the entry is aged out, the device handles the attack by using either of the following
methods:
• Monitor—Only generates log messages.
• Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.
You can exclude the MAC addresses of some gateways and servers from this detection. This feature does
not inspect ARP packets from those devices even if they are attackers.
Configuration procedure
To configure source MAC-based ARP attack detection:
Ste
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable source MAC-based
ARP attack detection and
specify the handling method.
arp source-mac { filter | monitor } By default, this feature is disabled.
3. Configure the threshold.
arp source-mac threshold
threshold-value
The default threshold is 30.
4. Configure the aging timer for
ARP attack entries.
arp source-mac aging-time time
By default, the lifetime is 300
seconds.
5. (Optional.) Exclude specific
MAC addresses from this
detection.
arp source-mac exclude-mac
mac-address&<1-10>
By default, no MAC address is
excluded.
NOTE:
hen an ARP attack entry is aged out, ARP packets sourced from the MAC address in the entry can be
processed correctly.
Displaying and maintaining source MAC-based ARP attack
detection
Execute display commands in any view.
To Next Page
Loading...
Need help?
General
