ARP attack protection configuration
NOTE:
interface
The term
interfaces and route-mode (or Layer 3) Ethernet ports. You can set an Ethernet port to operate in route
mode by using the port link-mode route command (see
ARP attack protection overview
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network
attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP
•
entries.
Sends a large number of destination unreachable IP packets to have the receiving device busy with
•
resolving destination IP addresses until its CPU is overloaded.
Sends a large number of ARP packets to overload the CPU of the receiving device.
•
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
ARP attacks and viruses are threatening LAN security. This chapter introduces multiple features to detect
and prevent such attacks.
ARP attack protection configuration task list
Complete the following tasks to configure ARP attack protection:
Task
Flood prevention
User and
gateway
spoofing
in the ARP attack protection features refers to Layer 3 interfaces, including VLAN
Configuring ARP source
suppression
Configuring ARP
defense against
IP packet attacks
Enabling ARP black hole
routing
Configuring ARP packet rate limit
Configuring source MAC address based ARP
attack detection
Configuring ARP packet source MAC address
consistency check
Layer 2—LAN Switching Configuration Guide
Remarks
Optional
Configure this function on gateways
(recommended).
Optional
Configure this function on gateways
(recommended).
Optional
Configure this function on access
devices (recommended).
Optional
Configure this function on gateways
(recommended).
Optional
Configure this function on gateways
(recommended).
330
).