Network diagram, Configuration procedure – H3C Technologies H3C S3600 Series Switches User Manual

2-9

Network diagram

Figure 2-3 ARP attack detection and packet rate limit configuration

Configuration procedure

# Enable DHCP snooping on Switch A.

system-view

[SwitchA] dhcp-snooping

# Specify Ethernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port.

[SwitchA] interface Ethernet 1/0/1

[SwitchA-Ethernet1/0/1] dhcp-snooping trust

[SwitchA-Ethernet1/0/1] arp detection trust

[SwitchA-Ethernet1/0/1] quit

# Enable ARP attack detection on all ports in VLAN 1.

[SwitchA] vlan 1

[SwitchA-vlan1] arp detection enable

# Enable the ARP packet rate limit function on Ethernet 1/0/2, and set the maximum ARP packet rate

allowed on the port to 20 pps.

[SwitchA] interface Ethernet 1/0/2

[SwitchA-Ethernet1/0/2] arp rate-limit enable

[SwitchA-Ethernet1/0/2] arp rate-limit 20

[SwitchA-Ethernet1/0/2] quit

# Enable the ARP packet rate limit function on Ethernet 1/0/3, and set the maximum ARP packet rate

allowed on the port to 50 pps.

[SwitchA] interface Ethernet 1/0/3

[SwitchA-Ethernet1/0/3] arp rate-limit enable

[SwitchA-Ethernet1/0/3] arp rate-limit 50

[SwitchA-Ethernet1/0/3] quit

# Configure the port state auto recovery function, and set the recovery interval to 200 seconds.

[SwitchA] arp protective-down recover enable

[SwitchA] arp protective-down recover interval 200