Configuring Source Mac Address Based Arp Attack Detection; Introduction; Configuration Procedure - 3Com 4500G Family Configuration Manual

To do...
Configure ARP packet rate
limit

Configuring Source MAC Address Based ARP Attack Detection

Introduction

This feature allows the device to check the source MAC address of ARP packets. If the number of ARP
packets sent from a MAC address within five seconds exceeds the specified value, the device
considers this an attack and adds the MAC address to the attack detection table. Before the attack
detection entry is aged out, the device generates an alarm and filters out ARP packets sourced from
that MAC address (in filter mode), or only generates an alarm (in monitor mode).
A gateway or critical server may send a large number of ARP packets. To prevent these ARP packets
from being discarded, you can specify the MAC address of the gateway or server as a protected MAC
address. A protected MAC address is excluded from ARP attack detection even if it is an attacker.
Only the ARP packets delivered to the CPU are detected.

Configuration Procedure

Follow these steps to configure source MAC address based ARP attack detection:
To do...
Enter system view
Enable source MAC address
based ARP attack detection
and specify the detection mode
Configure the threshold
Configure the aging timer for
source MAC address based
ARP attack detection entries
Configure protected MAC
addresses
After an ARP attack detection entry expires, the MAC address of the entry becomes ordinary.
Use the command...
arp rate-limit { disable |
rate pps drop }
Use the command...
system-view
arp anti-attack source-mac
{ filter | monitor }
arp anti-attack source-mac
threshold threshold-value
arp anti-attack source-mac
aging-time time
arp anti-attack source-mac
exclude-mac
mac-address&<1-10>
1-4
Remarks
Required
By default, the ARP packet rate limit
is enabled and is 100 pps.
Remarks
—
Required
Disabled by default.
Optional
50 by default.
Optional
Five minutes by default.
Optional
Not configured by default.