Configuring source MAC address based ARP
attack detection
With this feature enabled, the device checks the source MAC address of ARP packets delivered to the
CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the
specified threshold. The device adds the MAC address to the attack detection table.
Before the attack detection entry is aged out, the device uses either of the following detection modes to
respond to the detected attack:
•
Monitor mode—Generates a log message.
Filter mode—Generates a log message and filters out subsequent ARP packets from the attacking
•
MAC address.
You can also configure protected MAC addresses to exclude a gateway or server from detection. A
protected MAC address is excluded from ARP attack detection even if it is an attacker.
Configuration procedure
To configure source MAC address based ARP attack detection:
Step
1.
Enter system view.
2.
Enable source MAC address
based ARP attack detection
and specify the detection
mode.
3.
Configure the threshold.
4.
Configure the age timer for
ARP attack detection entries.
5.
Configure protected MAC
addresses.
NOTE:
After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can
be processed normally.
Displaying and maintaining source MAC address based ARP
attack detection
Command
system-view
arp anti-attack source-mac { filter |
monitor }
arp anti-attack source-mac threshold
threshold-value
arp anti-attack source-mac aging-time time
arp anti-attack source-mac exclude-mac
mac-address&<1-10>
238
Remarks
N/A
Disabled by default.
Optional.
50 by default.
Optional.
300 seconds by default.
Optional.
Not configured by
default.