Configuration considerations, Configuration procedure – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

332

Figure 141 Network diagram

Configuration considerations

An attacker may send the gateway a large number of ARP packets by using the MAC address of a valid

host as the source MAC address. To prevent such attacks, configure the gateway in the following steps:

1.

Enable source MAC address based ARP attack detection and specify the filter mode.

2.

Set the threshold.

3.

Set the age timer for detection entries.

4.

Configure the MAC address of the server as a protected MAC address so that it can send ARP
packets

Configuration procedure

# Enable source MAC address based ARP attack detection and specify the filter mode.

system-view

[AC] arp anti-attack source-mac filter

# Set the threshold to 30.

[AC] arp anti-attack source-mac threshold 30

# Set the age timer for detection entries to 60 seconds.

[AC] arp anti-attack source-mac aging-time 60

# Configure 0012-3f86-e94c as a protected MAC address.

[AC] arp anti-attack source-mac exclude-mac 0012-3f86-e94c

IP network

Gateway

AC

Client 1

Client 2

Client 3

Client 4

ARP attack protection

Server

0012-3f 86-e 94c

AP 2

AP 1