Source MAC address based ARP attack detection
configuration commands
arp anti-attack source-mac
Syntax
arp anti-attack source-mac { filter | monitor }
undo arp anti-attack source-mac [ filter | monitor ]
View
System view
Default level
2: System level
Parameters
filter: Specifies the filter mode.
monitor: Specifies the monitor mode.
Description
Use the arp anti-attack source-mac command to enable source MAC address based ARP attack
detection and specify the detection mode.
Use the undo arp anti-attack source-mac command to restore the default.
By default, source MAC address based ARP attack detection is disabled.
After you enable this feature, the device checks the source MAC address of ARP packets received from
the VLAN. It detects an attack when one MAC address sends more ARP packets in five seconds than the
specified threshold. Upon detecting an attack, the device does the following:
In filter detection mode, the device generates a log message and filters out the ARP packets from the
•
MAC address.
In monitor detection mode, the device only generates a log message.
•
If no detection mode is specified in the undo arp anti-attack source-mac command, both detection
modes are disabled.
Examples
# Enable filter-mode source MAC address based ARP attack detection
<Sysname> system-view
[Sysname] arp anti-attack source-mac filter
arp anti-attack source-mac aging-time
Syntax
arp anti-attack source-mac aging-time time
undo arp anti-attack source-mac aging-time
303