Configuring Arp Packet Source Mac Address Consistency Check; Introduction; Configuration Procedure; Configuring Arp Active Acknowledgement - HP 3600 v2 Series Security Configuration Manual

Configure the MAC address of the server as a protected MAC address so that it can send ARP
•
packets

Configuration procedure

# Enable source MAC address based ARP attack detection and specify the filter mode.
<Device> system-view
[Device] arp anti-attack source-mac filter
# Set the threshold to 30.
[Device] arp anti-attack source-mac threshold 30
# Set the age timer for detection entries to 60 seconds.
[Device] arp anti-attack source-mac aging-time 60
# Configure 0012-3f86-e94c as a protected MAC address.
[Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC address
consistency check

Introduction

The ARP packet source MAC address consistency check feature enables a gateway device to filter out
ARP packets that have a different source MAC address in the Ethernet header from the sender MAC
address in the message, so that the gateway device can learn correct ARP entries.
Configuration procedure
Follow these steps to enable ARP packet source MAC address consistency check:
To do...
Enter system view
Enable ARP packet source MAC
address consistency check

Configuring ARP active acknowledgement

Introduction
The ARP active acknowledgement feature is configured on gateway devices to identify invalid ARP
packets.
ARP active acknowledgement works before the gateway creates or modifies an ARP entry to avoid
generating any incorrect ARP entry. For more information about its working mechanism, see ARP Attack
Protection Technology White Paper.
Use the command...
system-view
arp anti-attack valid-check enable
337
Remarks
—
Required
Disabled by default.