Arp Attack Defense Configuration; Configuring Arp Active Acknowledgement; Introduction - H3C S5120-SI Series Configuration Manual

ARP attack defense configuration

Although ARP is easy to implement, it can be vulnerable to network attacks. ARP attacks and viruses can
be a threat to LAN security. However, the device provides multiple features to detect and prevent such
attacks.

Configuring ARP active acknowledgement

Introduction

Typically, the ARP active acknowledgement feature is configured on gateway devices to identify invalid
ARP packets.
With this feature enabled, when the gateway receives an ARP packet whose source MAC address does
not match the gateway's corresponding ARP entry, the gateway checks whether its ARP entry has been
updated within the last minute.
•
If yes, the gateway does not update the ARP entry.
•
If not, the gateway unicasts an ARP request to the source MAC address of the ARP entry.
•
If an ARP reply is received within five seconds, the ARP packet is ignored.
•
If not, the gateway unicasts an ARP request to the MAC address of the ARP packet.
•
If an ARP reply is received within five seconds, the gateway updates the ARP entry.
•
If not, the ARP entry is not updated.
Configuring ARP active acknowledgement
To configure ARP active acknowledgement:
To do...
1. Enter system view
2. Enable the ARP active
acknowledgement function
Use the command...
system-view
arp anti-attack active-ack
enable
18
Remarks
—
Required
Disabled by default.