Configuring Source Mac-Based Arp Attack Detection; Configuration Procedure; Displaying And Maintaining Source Mac-Based Arp Attack Detection - HP FlexNetwork 10500 Series Security Configuration Manual

Configuring source MAC-based ARP attack
detection
This feature checks the number of ARP packets delivered to the CPU. If the number of packets from
the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to
an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the
following methods:
•
Monitor—Only generates log messages.
•
Filter—Generates log messages and filters out subsequent ARP packets from that MAC
address.
Make sure you have enabled the ARP logging feature before enabling the source MAC-based ARP
attack detection feature. For information about the ARP logging feature, see Layer 3—IP Services
Configuration Guide.
You can exclude the MAC addresses of some gateways and servers from this detection. This feature
does not inspect ARP packets from those devices even if they are attackers.

Configuration procedure

To configure source MAC-based ARP attack detection:
Step
1. Enter system view.
2. Enable source MAC-based
ARP attack detection and
specify the handling method.
3. Configure the threshold.
4. Configure the aging timer for
ARP attack entries.
5. (Optional.) Exclude specific
MAC addresses from this
detection.
NOTE:
When an ARP attack entry is aged out, ARP packets sourced from the MAC address in the entry
can be processed correctly.
Displaying and maintaining source MAC-based ARP attack
detection
Execute display commands in any view.
Command
system-view
arp source-mac { filter |
monitor }
arp source-mac threshold
threshold-value
arp source-mac aging-time time
arp source-mac exclude-mac
mac-address&<1-n>
432
Remarks
N/A
By default, this feature is
disabled.
The default threshold is 30.
By default, the lifetime is 300
seconds.
By default, no MAC address is
excluded.
The value range for the n
argument is 1 to 10.