Configuration procedure – H3C Technologies H3C S7500E Series Switches User Manual

14-4

detection entry is aged out, the device generates an alarm and filters out ARP packets sourced from

that MAC address (in filter mode), or only generates an alarm (in monitor mode).

A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets

from being discarded, you can specify the MAC address of the gateway or server as a protected MAC

address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.

Only the ARP packets delivered to the CPU are detected.

Configuration Procedure

Follow these steps to configure source MAC address based ARP attack detection:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable source MAC address

based ARP attack detection and

specify the detection mode

arp anti-attack source-mac

{ filter | monitor }

Required

Disabled by default.

Configure the threshold

arp anti-attack source-mac

threshold threshold-value

Optional

50 by default.

Configure the aging timer for

source MAC address based ARP

attack detection entries

arp anti-attack source-mac

aging-time time

Optional

300 seconds by default.

Configure protected MAC

addresses

arp anti-attack source-mac

exclude-mac

mac-address&<1-10>

Optional

Not configured by default.

After an ARP attack detection entry expires, the MAC address of the entry becomes ordinary.

Displaying and Maintaining Source MAC Address Based ARP Attack Detection

To do…

Use the command…

Remarks

Display attacking entries detected

(for distributed devices)

display arp anti-attack source-mac { slot

slot-number | interface interface-type

interface-number }

Available in any

view

Display attacking entries detected

(for distributed IRF devices)

display arp anti-attack source-mac { chassis

chassis-number slot slot-number | interface

interface-type interface-number }

Available in any

view