Anti-Arpscan - ZyXEL Communications GS2210-8 User Manual

34.1 Anti-Arpscan Overview
Address Resolut ion Prot ocol ( ARP) , RFC 826, is a prot ocol used t o convert a net work- layer I P
address t o a link- layer MAC address. ARP scan is used t o scan t he net work of a cert ain int erface for
alive host s. I t shows t he I P address and MAC addresses of all host s found. Hackers could use ARP
scan t o find t arget s in your net work. Ant i- a r psca n is used t o det ect unusual ARP scan act ivit y and
block suspicious host s or port s.
Unusual ARP scan act ivit y is det erm ined by port and host t hresholds t hat you set . A port t hreshold
is det erm ined by t he num ber of packet s received per second on t he port . I f t he received packet rat e
is over t he t hreshold, t hen t he port is put int o an Er r - D isa ble st at e. You can recover t he norm al
st at e of t he port m anually if t his happens and aft er you ident ify t he cause of t he problem .
A host t hreshold is det erm ined by t he num ber of ARP- request packet s received per second. There is
a global t hreshold rat e for all host s. I f t he rat e of a host is over t he t hreshold, t hen t hat host is
blocked by using a MAC address filt er. A blocked host is released aut om at ically aft er t he MAC aging
t im e expires.
Not e: A port - based t hreshold m ust be larger t han t he host- based t hreshold or t he host-
based t hreshold will not work.
34.1.1 What You Can Do
• Use t he An t i- Ar psca n St a t us screen (
and are forwarding t raffic or are disabled.
• Use t he Ant i- Ar psca n H ost St a t us screen (
and clear select ed ones.
• Use t he Ant i- Ar psca n Tr ust H ost screen (
t rust ed host s ident ified by I P address and subnet m ask. Ant i- a r psca n is not perform ed on
t rust ed host s.
• Use t his An t i- Ar psca n Con figu r e screen (
port and host t hresholds as well as configure port s t o be t rust ed or unt rust ed.
34.1.2 What You Need to Know
• You should set an uplink port as a t rust ed port be fore enabling Ant i- a r psca n so as t o prevent
t he port from being shut down due t o receiving t oo m any ARP m essages.
• When a port is configured as a t rust ed port , Ant i- a r psca n is not perform ed on t he port . Bot h
host and port t hresholds are ignored for t rust ed port s. I f t he received ARP packet rat e on a port
or t he received ARP- request s from a host exceed t he t hresholds, t he t rust ed port will not be
closed.
• I f a port on t he Swit ch is closed by Ant i- a r psca n, and you want t o recover it , t hen do one of t he
following:
C
HAPTER
Sect ion 34.2 on page
Sect ion 34.3 on page
Sect ion 34.4 on page
Sect ion 34.5 on page
GS2210 Series User's Guide
309
3 4

Anti-Arpscan

310) t o see what port s are t rust ed
310) t o view blocked host s
311) t o creat e or rem ove
312) t o enable ant i- arpscan, set