Configuring ARP attack protection
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
•
Acting as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect
ARP entries.
Sending a large number of unresolvable IP packets (ARP cannot find MAC addresses for those
•
packets) to have the receiving device busy with resolving destination IP addresses until the CPU is
overloaded.
Sending a large number of ARP packets to overload the CPU of the receiving device.
•
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
ARP attack protection configuration task list
Task
Flood
prevention
User and
gateway
spoofing
prevention
Configuring ARP source
Configuring
suppression
unresolvable
IP attack
protection
Enabling ARP black hole routing
Configuring ARP packet rate limit
Configuring source MAC-based ARP attack detection
Configuring ARP active acknowledgement
Configuring user validity check
Configuring ARP automatic scanning and fixed ARP
Remarks
Optional.
Configure this function on gateways
(recommended).
Optional.
Configure this function on gateways
(recommended).
Optional.
Configure this function on access
devices (recommended).
Optional.
Configure this function on gateways
(recommended).
Optional.
Configure this function on gateways
(recommended).
Optional.
Configure this function on access
devices (recommended).
Optional.
Configure this function on gateways
(recommended).
251