Configuring Arp Duplicate Gateway Attack Prevention; Arp Packet Attack Prevention; Introduction To Arp Packet Attack Prevention - H3C S9500 Series Operation Manual

Operation Manual – ARP
H3C S9500 Series Routing Switches

3.2.2 Configuring ARP Duplicate Gateway Attack Prevention

Caution:
The ARP duplicate gateway attack prevention function can detect and prevent
VLAN interface address conflicts, VRRP virtual address conflicts, and NAT address
pool conflicts.
After detecting an address conflict on the console port, the switch only logs the
event, without preventing the attack.
If the VRRP group has a real MAC address, the switch logs the event after detecting
an address conflict, without preventing the attack.
Follow these steps to configure ARP duplicate gateway attack prevention:
Enter system view
Configure ARP duplicate
gateway attack prevention
Display information about the
ARP duplicate gateway attack
prevention configuration of a
specific slot

3.3 ARP Packet Attack Prevention

3.3.1 Introduction to ARP Packet Attack Prevention

ARP provides no authentication mechanism, and a network using ARP is thus
susceptible to various kinds of attacks. Sending a large amount of ARP packets with a
fixed MAC address is just one kind of attacks, which affects ARP entry learning of the
switch.
S9500 series switches can detect and prevent such ARP packet attacks. If the number
of ARP packets with a fixed source MAC address received by the switch CPU reaches
the set threshold within a certain period, the user with this MAC address is considered
an attacker. Then, the system generates an attack prevention entry to filter this user,
who will then be unable to access the network.
To do...
Chapter 3 ARP Attack Prevention Configuration
Use the command...
system-view
anti-attack
gateway-duplicate{ enable
| disable }
display anti-attack
gateway-duplicate slot
slotid
3-4
Remarks
—
Required
Disabled by
default.
Available in any
view