Anti-Arpscan; Chapter 34 Anti-Arpscan; Anti-Arpscan Overview; What You Can Do - ZyXEL Communications GS2210 Series User Manual
Intelligent layer 2 gbe switch
Hide thumbs
Also See for GS2210 Series:
- User manual (387 pages) ,
- Handbook (215 pages) ,
- User handbook manual (100 pages)
Table of Contents
Advertisement
34.1 Anti-Arpscan Overview
Address Resolution Protocol (ARP), RFC 826, is a protocol used to convert a network-layer IP
address to a link-layer MAC address. ARP scan is used to scan the network of a certain interface for
alive hosts. It shows the IP address and MAC addresses of all hosts found. Hackers could use ARP
scan to find targets in your network. Anti-arpscan is used to detect unusual ARP scan activity and
block suspicious hosts or ports.
Unusual ARP scan activity is determined by port and host thresholds that you set. A port threshold
is determined by the number of packets received per second on the port. If the received packet rate
is over the threshold, then the port is put into an Err-Disable state. You can recover the normal
state of the port manually if this happens and after you identify the cause of the problem.
A host threshold is determined by the number of ARP-request packets received per second. There is
a global threshold rate for all hosts. If the rate of a host is over the threshold, then that host is
blocked by using a MAC address filter. A blocked host is released automatically after the MAC aging
time expires.
Note: A port-based threshold must be larger than the host-based threshold or the host-
based threshold will not work.
34.1.1 What You Can Do
• Use the Anti-Arpscan Status screen
and are forwarding traffic or are disabled.
• Use the Anti-Arpscan Host Status screen
and clear selected ones.
• Use the Anti-Arpscan Trust Host screen
trusted hosts identified by IP address and subnet mask. Anti-arpscan is not performed on
trusted hosts.
• Use this Anti-Arpscan Configure screen
port and host thresholds as well as configure ports to be trusted or untrusted.
34.1.2 What You Need to Know
• You should set an uplink port as a trusted port before enabling Anti-arpscan so as to prevent
the port from being shutdown due to receiving too many ARP messages.
• When a port is configured as a trusted port, Anti-arpscan is not performed on the port. Both
host and port thresholds are ignored for trusted ports. If the received ARP packet rate on a port
or the received ARP-requests from a host exceed the thresholds, the trusted port will not be
closed.
• If a port on the Switch is closed by Anti-arpscan, and you want to recover it, then do one of the
following:
C
HAPTER
(Section 34.2 on page
(Section 34.3 on page
(Section 34.4 on page
(Section 34.5 on page
GS2210 Series User's Guide
309
3 4
Anti-Arpscan
310) to see what ports are trusted
310) to view blocked hosts
311) to create or remove
312) to enable anti-arpscan, set
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
