459
entry for the MAC address. Before the entry ages out, the device handles the attack by using either
of the following methods:
• Monitor—Only generates log messages.
• Filter—Generates log messages and filters out subsequent ARP packets from the MAC
address.
Make sure you have enabled the ARP logging feature before enabling the source MAC-based ARP
attack detection feature. For information about the ARP logging feature, see Layer 3—IP Services
Configuration Guide.
You can exclude the MAC addresses of some gateways and servers from this detection. This feature
does not inspect ARP packets from those devices even if they are attackers.
Configuration procedure
To configure source MAC-based ARP attack detection:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable source MAC-based
ARP attack detection and
specify the handling method.
arp source-mac
{
filter
|
monitor
}
By default, this feature is
disabled.
When you change the handling
method from monitor to filter, the
configuration takes effect
immediately.
When you change the handling
method from filter to monitor, the
device continues filtering packets
that match existing attack entries.
3. Set the threshold.
arp source-mac threshold
threshold-value
The default threshold is 30.
4. Set the aging timer for ARP
attack entries.
arp source-mac aging-time
time
By default, the lifetime is 300
seconds.
5. (Optional.) Exclude specific
MAC addresses from this
detection.
arp source-mac exclude-mac
mac-address&<1-10>
By default, no MAC address is
excluded.
NOTE:
When an
RP attack entry is aged out, ARP packets sourced from the MAC address in the entry can
be processed correctly.
Displaying and maintaining source MAC-based ARP attack
detection
Execute display commands in any view.
Task Command
Display ARP attack entries detected by source
MAC-based ARP attack detection.
display arp source-mac
{
slot
slot-number |
interface
interface-type interface-number
}
To Next Page
Loading...
Need help?
General