Configuration procedure – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 344
330
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter Layer 2 Ethernet interface view,
Layer 2 aggregate interface view, or
WLAN-ESS interface view.
interface interface-type
interface-number
N/A
3.
Configure ARP packet rate limit.
arp rate-limit { disable | rate pps
drop }
Not configured by
default.
NOTE:
•
If you enable ARP packet rate limit on a Layer 2 aggregate interface, trap and log messages are sent
when the ARP packet rate of a member port exceeds the preset threshold rate.
•
For more information about the snmp-agent trap enable arp rate-limit command, see the snmp-agent
trap enable arp command in
Network Management and Monitoring Command Reference.
Configuring source MAC address based ARP
attack detection
This feature allows the device to check the source MAC address of ARP packets delivered to the CPU. If
the number of ARP packets from a MAC address within five seconds exceeds the specified threshold, the
device considers this an attack and adds the MAC address to the attack detection table. Before the attack
detection entry is aged out, the device generates a log message upon receiving an ARP packet sourced
from that MAC address and filters out subsequent ARP packets from that MAC address (in filter mode),
or only generates a log message upon receiving an ARP packet sourced from that MAC address (in
monitor mode).
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets from
being discarded, you can specify the MAC address of the gateway or server as a protected MAC
address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.
Configuration procedure
To configure source MAC address based ARP attack detection:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enable source MAC address
based ARP attack detection
and specify the detection
mode.
arp anti-attack source-mac { filter |
monitor }
Disabled by default.
3.
Configure the threshold.
arp anti-attack source-mac
threshold threshold-value
Optional.
50 by default.
4.
Configure the age timer for
ARP attack detection entries.
arp anti-attack source-mac
aging-time time
Optional.
300 seconds by default.
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSWM1WCM10 Access Controller Module H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSWM1WCM20 Access Controller Module H3C LSQM1WCMB0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module H3C LSBM1WCM2A0 Access Controller Module H3C WA3600 Series Access Points H3C WA2600 Series WLAN Access Points H3C S10500 Series Switches H3C S5800 Series Switches H3C S5820X Series Switches H3C S12500 Series Switches H3C S9500E Series Switches H3C MSR 5600 H3C MSR 50 H3C MSR 3600 H3C MSR 30 H3C MSR 2600 H3C MSR 20-2X[40] H3C MSR 20-1X H3C MSR 930 H3C MSR 900 H3C SR8800 H3C SR6600-X H3C SR6600 H3C SecPath F5020 H3C SecPath F5040 H3C VMSG VFW1000