403
Configuration procedure
# Enable source MAC-based ARP attack detection and specify the handling method.
<Device> system-view
[Device] arp source-mac filter
# Set the threshold to 30.
[Device] arp source-mac threshold 30
# Set the lifetime for ARP attack entries to 60 seconds.
[Device] arp source-mac aging-time 60
# Exclude 0012-3f86-e94c from this detection.
[Device] arp source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC consistency
check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet
header is different from the sender MAC address in the message body, so that the gateway can learn
correct ARP entries.
To enable ARP packet source MAC address consistency check:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable ARP packet source
MAC address consistency
check.
arp anti-attack valid-check enable
Disabled by default.
Configuring ARP active acknowledgement
Configure this feature on gateway devices to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
To configure ARP active acknowledgement:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable the ARP active
acknowledgement function.
arp anti-attack active-ack
enable
Disabled by default.
Configuring ARP automatic scanning and fixed
ARP
ARP automatic scanning is usually used together with the fixed ARP feature.
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors on
the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates
dynamic ARP entries.
To Next Page
Loading...
Need help?
General
