415
an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the
following methods:
• Monitor—Only generates log messages.
• Filter—Generates log messages and filters out subsequent ARP packets from that MAC
address.
You can exclude the MAC addresses of some gateways and servers from this detection. This feature
does not inspect ARP packets from those devices even if they are attackers.
Configuration procedure
To configure source MAC-based ARP attack detection:
1. Enter system view.
system-view
N/A
2. Enable source MAC-based
specify the handling method.
arp source-mac
{
filter
|
monitor
}
By default
disabled.
3. Set the threshold.
arp source-
threshold-value
The default threshold is 30.
4. Set the aging timer for ARP
attack entries.
arp source-mac aging-time
time
By default
seconds.
5. (Optional.)
MAC addresses
detection.
arp source-mac exclude-mac
mac-address&<1-10>
By default, no
excluded.
n an ARP attack entry is aged out
, ARP packets sourced from the MAC address in the entry can
be processed correctly.
Displaying and maintaining source MAC-based ARP attack
detection
Execute display commands in any view.
Display ARP attack entries detected by source
MAC-based ARP attack detection.
display arp source-mac
{
slot
slot-number |
interface
interface-type interface-number
}
Configuration example
Network requirements
As shown in Figure 123, the hosts access the Internet through a gateway (Device). If malicious users
send a large number of ARP requests to the gateway, the gateway might crash and cannot process
requests from the clients. To solve this problem, configure source MAC-based ARP attack detection
on the gateway.
To Next Page
Loading...
