Table of Contents
Advertisement
37.1 Anti-Arpscan Overview
Address Resolution Protocol (ARP), RFC 826, is a protocol used to convert a network-layer IP address to a
link-layer MAC address. ARP scan is used to scan the network of a certain interface for alive hosts. It
shows the IP address and MAC addresses of all hosts found. Hackers could use ARP scan to find targets
in your network. Anti-arpscan is used to detect unusual ARP scan activity and block suspicious hosts or
ports.
Unusual ARP scan activity is determined by port and host thresholds that you set. A port threshold is
determined by the number of packets received per second on the port. If the received packet rate is
over the threshold, then the port is put into an Err-Disable state. You can recover the normal state of the
port manually if this happens and after you identify the cause of the problem.
A host threshold is determined by the number of ARP-request packets received per second. There is a
global threshold rate for all hosts. If the rate of a host is over the threshold, then that host is blocked by
using a MAC address filter. A blocked host is released automatically after the MAC aging time expires.
Note: A port-based threshold must be larger than the host-based threshold or the host-based
threshold will not work.
37.1.1 What You Can Do
• Use the Anti-Arpscan Status screen
forwarding traffic or are disabled.
• Use the Anti-Arpscan Host Status screen
selected ones.
• Use the Anti-Arpscan Trust Host screen
identified by IP address and subnet mask. Anti-arpscan is not performed on trusted hosts.
• Use this Anti-Arpscan Configure screen
and host thresholds as well as configure ports to be trusted or untrusted.
37.1.2 What You Need to Know
• You should set an uplink port as a trusted port before enabling Anti-arpscan so as to prevent the port
from being shutdown due to receiving too many ARP messages.
• When a port is configured as a trusted port, Anti-arpscan is not performed on the port. Both host and
port thresholds are ignored for trusted ports. If the received ARP packet rate on a port or the received
ARP-requests from a host exceed the thresholds, the trusted port will not be closed.
• If a port on the Switch is closed by Anti-arpscan, and you want to recover it, then do one of the
following:
Chapter 37 Anti-Arpscan
C
Anti-Arpscan
(Section 37.1 on page
(Section 37.3 on page
(Section 37.4 on page
(Section 37.5 on page
GS2220 Series User's Guide
339
H A P T E R
339) to see what ports are trusted and are
340) to view blocked hosts and clear
341) to create or remove trusted hosts
342) to enable anti-arpscan, set port
37
Advertisement
Table of Contents
Troubleshooting
