Configuring 802.1X-Based Arp/Ip Attack Defense; Configuring Arp Source Mac Address Consistency Check; Introduction - 3Com 4210 9-Port Configuration Manual
Switch 4210 family
Hide thumbs
Also See for 4210 9-Port:
- Configuration manual (567 pages) ,
- Getting started (80 pages) ,
- Datasheet (8 pages)
Table of Contents
Advertisement
Configuring 802.1x-Based ARP/IP Attack Defense
Follow these steps to configure 802.1x-based ARP/IP attack defense:
To do...
Enter system view
Enable using IP-MAC bindings of
authenticated 802.1x clients for ARP
attack detection
Enter Ethernet port view
Enable IP filtering based on IP-MAC
bindings of authenticated 802.1x
clients
The IP-MAC bindings of authenticated 802.1x clients are used together with DHCP snooping
entries and static bindings for ARP attack detection.
IP filtering based on IP-MAC bindings of authenticated 802.1x clients is mutually exclusive with IP
filtering based on DHCP snooping entries.
IP filtering based on IP-MAC bindings of authenticated 802.1x clients does not support link
aggregation.
To implement IP filtering based on IP-MAC bindings of authenticated 802.1x clients, the device
assigns an ACL to each of such bindings. If an ACL fails to be assigned to a binding, the
corresponding authenticated 802.1x client is forced to go offline.
IP filtering based on IP-MAC bindings of authenticated 802.1x clients requires 802.1x clients to
provide IP addresses; otherwise, the IP addresses of 802.1x clients cannot be obtained. To ensure
IP addresses of DHCP clients can be updated for corresponding IP-MAC entries, you are
recommended to enable 802.1x authentication handshake function; otherwise, you need to disable
802.1x authentication triggered by DHCP, ensuring normal receiving and forwarding of multicast
authentication packets.
Configuring ARP Source MAC Address Consistency Check
Introduction
An attacker may use the IP or MAC address of another host as the sender IP or MAC address of ARP
packets. These ARP packets can cause other network devices to update the corresponding ARP
entries incorrectly, thus interrupting network traffic.
To prevent such attacks, you can configure ARP source MAC address consistency check on switches
(operating as gateways). With this function, the device can verify whether an ARP packet is valid by
checking the sender MAC address of the ARP packet against the source MAC address in the Ethernet
header.
Use the command...
system-view
ip source static import
dot1x
interface interface-type
interface-number
ip check dot1x enable
4
Remarks
—
Required
Disabled by default.
—
Required
Disabled by default.
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
