Arp Attack Prevention Configuration Example - H3C S9500 Series Operation Manual

Operation Manual – ARP
H3C S9500 Series Routing Switches

3.4 ARP Attack Prevention Configuration Example

I. Network requirements
An S9500 switch (Switch 1) is connected to two low-end switches Switch 3 and
Switch 2 through Ethernet 1/1/1 and Ethernet 1/1/2, respectively.
PC 1 is attached to Switch 1; PC 2 and PC 3 on the same network segment are
attached to Switch 2; PC 4 and PC 5 on another network segment are attached to
Switch 3.
PC 1 sends a large amount of ARP packets. Some have the source IP addresses
changing constantly, while some share the same source IP address with the
gateway. PC 4 generates a large amount of ARP packets with a fixed MAC
address.
Switch 1 can prevent attacks from PC 1 and PC 4.
II. Network diagram
PC2
Figure 3-3 Network diagram for ARP packet attack prevention
III. Configuration procedure
# Enter system view.
<Switch1> system-view
# Specify the ARP spoofing attack prevention mode to send-ack, preventing ARP
spoofing attacks from PC 1.
[Switch1] arp entry-check send-ack
# Enable ARP duplicate gateway attack prevention, preventing duplicate gateway
attacks from PC 1.
[Switch1] anti-attack gateway-duplicate enable
# Enable ARP packet attack prevention, preventing ARP packet attacks from PC 4.
[Switch1] anti-attack arp enable
# Configure the threshold for ARP packet attack detection to 40 pps.
Ethernet 1/1/3
Ethernet 1/1/2
Switch1
PC1
Switch2
PC3
Chapter 3 ARP Attack Prevention Configuration
Ethernet 1/1/1
Switch3
PC4
3-6
PC5