Arp attack defense configuration example, Arp attack defense configuration example i, Network requirements – H3C Technologies H3C S3600 Series Switches User Manual

2-8

To do…

Use the command…

Remarks

Configure the maximum ARP
packet rate allowed on the port

arp rate-limit rate

Optional

By default, the maximum ARP
packet rate allowed on a port is
15 pps.

Quit to system view

quit

—

Enable the port state
auto-recovery function

arp protective-down recover
enable

Optional

Disabled by default.

Configure the port state
auto-recovery interval

arp protective-down recover
interval interval

Optional

By default, when the port state
auto-recovery function is
enabled, the port state
auto-recovery interval is 300
seconds.

z

You need to enable the port state auto-recovery feature before you can configure the port state

auto-recovery interval.

z

You are not recommended to configure the ARP packet rate limit function on the ports of a fabric or

an aggregation group.

ARP Attack Defense Configuration Example

ARP Attack Defense Configuration Example I

Network requirements

As shown in

Figure 2-3

, Ethernet 1/0/1 of Switch A connects to DHCP Server; Ethernet 1/0/2 connects

to Client A, Ethernet 1/0/3 connects to Client B. Ethernet 1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3

belong to VLAN 1.

z

Enable DHCP snooping on Switch A and specify Ethernet 1/0/1 as the DHCP snooping trusted

port.

z

Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks, and specify

Ethernet 1/0/1 as the ARP trusted port.

z

Enable the ARP packet rate limit function on Ethernet 1/0/2 and Ethernet 1/0/3 of Switch A, so as to

prevent Client A and Client B from attacking Switch A through ARP traffic.

z

Enable the port state auto recovery function on the ports of Switch A, and set the recovery interval

to 200 seconds.