beautypg.com

Configuring source mac-based arp attack detection, Configuration procedure – H3C Technologies H3C S6300 Series Switches User Manual

Page 341

background image

326

Step Command

Remarks

5.

Enter Layer 2 Ethernet
interface or Layer 2 aggregate

interface view.

interface interface-type
interface-number

N/A

6.

Enable ARP packet rate limit

and configure the rate limit.

arp rate-limit [ pps ]

By default, ARP packet rate limit is
enabled, and the rate limit is 100
pps.

NOTE:

If you enable notification sending and logging for ARP packet rate limit on a Layer 2 aggregate interface,
the functions apply to all aggregation member ports.

Configuring source MAC-based ARP attack

detection

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the
same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address in an ARP

attack entry. Before the entry is aged out, the device handles the attack by using either of the following

methods:

Monitor—Only generates log messages.

Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.

You can exclude the MAC addresses of some gateways and servers from this detection. This feature does

not inspect ARP packets from those devices even if they are attackers.

Configuration procedure

To configure source MAC-based ARP attack detection:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable source MAC-based
ARP attack detection and

specify the handling method.

arp source-mac { filter | monitor }

By default, this feature is disabled.

3.

Configure the threshold.

arp source-mac threshold
threshold-value

The default threshold is 30.

4.

Configure the aging timer for
ARP attack entries.

arp source-mac aging-time time

By default, the lifetime is 300
seconds.

5.

(Optional.) Exclude specific

MAC addresses from this

detection.

arp source-mac exclude-mac

mac-address&<1-10>

By default, no MAC address is

excluded.

NOTE:

When an ARP attack entry is aged out, ARP packets sourced from the MAC address in the entry can be
processed correctly.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: