Configuring Source Mac Address Based Arp Attack Detection; Introduction; Configuration Procedure - H3C S5120-SI Series Configuration Manual

Configuring source MAC address based ARP attack
detection

Introduction

With this feature enabled, the device checks the source MAC address of ARP packets delivered to the
CPU. It detects an attack when one MAC address sends more ARP packets in five seconds than the
configured threshold.
The detection mode you set determines how the device responds to a detected attack.
•
Monitor mode: generates an alarm.
•
Filter mode: generates an alarm and filters out ARP packets from the attacking MAC source.
Only ARP packets delivered to the CPU are detected.
You can also configure protected MAC addresses to exclude devices such as a gateway or server from
detection, so that they do not trigger alarms and filtering. You can set an aging timer for the protected
MAC addresses, to limit how long they are protected.
A protected MAC address is no longer excluded from detection after the specified aging time expires

Configuration procedure

Enabling source MAC address based ARP attack detection
To enable source MAC address based ARP attack detection and set the detection mode:
To do...
1. Enter system view
2. Enable source MAC address
based ARP attack detection
and specify the detection mode
Configuring the threshold
To configure the threshold:
To do...
1. Enter system view
2. Configure the threshold
Use the command...
system-view
arp anti-attack source-mac {
filter | monitor }
Use the command...
system-view
arp anti-attack source-mac
threshold threshold-value
19
Remarks
—
Required
Disabled by default.
Remarks
—
Optional
50 by default