To do...
Enable the ARP packet rate
limit function
Configure the maximum ARP
packet rate allowed on the port
Quit to system view
Enable the port state
auto-recovery function
Configure the port state
auto-recovery interval
You need to enable the port state auto-recovery feature before you can configure the port state
auto-recovery interval.
You are not recommended to configure the ARP packet rate limit function on the ports of an
aggregation group.
ARP Attack Defense Configuration Example
ARP Attack Defense Configuration Example I
Network requirements
As shown in
Figure
to Client A, Ethernet 1/0/3 connects to Client B. Ethernet 1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3
belong to VLAN 1.
Enable DHCP snooping on Switch A and specify Ethernet 1/0/1 as the DHCP snooping trusted
port.
Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks, and specify
Ethernet 1/0/1 as the ARP trusted port.
Enable the ARP packet rate limit function on Ethernet 1/0/2 and Ethernet 1/0/3 of Switch A, so as to
prevent Client A and Client B from attacking Switch A through ARP traffic.
Enable the port state auto recovery function on the ports of Switch A, and set the recovery interval
to 200 seconds.
Use the command...
arp rate-limit enable
arp rate-limit rate
quit
arp protective-down recover
enable
arp protective-down recover
interval interval
2-3, Ethernet 1/0/1 of Switch A connects to DHCP Server; Ethernet 1/0/2 connects
Required
By default, the ARP packet rate
limit function is disabled on a
port.
Optional
By default, the maximum ARP
packet rate allowed on a port is
15 pps.
—
Optional
Disabled by default.
Optional
By default, when the port state
auto-recovery function is
enabled, the port state
auto-recovery interval is 300
seconds.
2-8
Remarks