Other arp attack defense functions, Overview, Source mac address based arp attack detection – H3C Technologies H3C WX6000 Series Access Controllers User Manual
Page 170: Arp active acknowledgement, Table 23-1
23-4
Table 23-1 ARP Detection configuration items
Item
Description
VLAN Settings
Select VLANs on which ARP detection is to be enabled.
To add VLANs to the Enabled VLANs list box, select one or multiple VLANs from the
Disabled VLANs list box and click the << button.
To remove VLANs from the Enabled VLANs list box, select one or multiple VLANs from the
list box and click the >> button.
Trusted Ports
Select trusted ports and untrusted ports.
To add ports to the Trusted Ports list box, select one or multiple ports from the Untrusted
Ports list box and click the << button.
To remove ports from the Trusted Ports list box, select one or multiple ports from the list
box and click the >> button.
ARP Packet
Validity Check
Select ARP packet validity check modes, including:
Discard the ARP packet whose sender MAC address is different from the source MAC
address in the Ethernet header
Discard the ARP packet whose target MAC address is all 0s, all 1s, or inconsistent with
the destination MAC address in the Ethernet header
Discard the ARP request whose source IP address is all 0s, all 1s, or a multicast
address, and discard the ARP reply whose source and destination IP addresses are all
0s, all 1s, or multicast addresses
If none of the above is selected, the system does not check the validity of ARP packets.
Other ARP Attack Defense Functions
Overview
Source MAC address based ARP attack detection
This feature allows the device to check the source MAC address of ARP packets. If the number of ARP
packets received from a MAC address within five seconds exceeds the specified value, the device
considers this an attack, thus generates an alarm, and blocks traffic from that source MAC address.
Only the ARP packets delivered to the CPU are detected.
ARP active acknowledgement
Typically, the ARP active acknowledgement feature is configured on gateway devices to identify invalid
ARP packets. With this feature enabled, the gateway, upon receiving an ARP packet with a sender MAC
address different from that in the corresponding ARP entry, checks whether the ARP entry has been
updated within the last minute:
If yes, the gateway does not update the ARP entry;
If not, the gateway unicasts an ARP request to the MAC address in the ARP entry.
Then,
If an ARP reply is received within five seconds, the ARP packet is ignored;
If not, the gateway unicasts an ARP request to the sender MAC address of the ARP packet.
Then,
If an ARP reply is received within five seconds, the gateway updates the ARP entry;
If not, the ARP entry is not updated.