H3C Low-End Ethernet Switches Configuration Examples
ARP Attack Prevention
1.2.4 ARP Packet Rate Limit
H3C low-end Ethernet switches support ARP packet rate limit to shut down attacked
ports temporarily to prevent damage to the CPU.
After ARP packet rate limit is enabled on a port, the switch collects statistics of ARP
packets received on the port. If the number of ARP packets received per second
exceeds the specified value, the port is considered attacked. Then, the port is shut
down and does not receive any packet. The switch also supports port state
auto-recovery function which can bring up the shut down port after the specified
interval.
1.2.5 Attack Prevention with the Support of a CAMS Server
As shown in the following figure, a Comprehensive Access Management Server
(CAMS), as the service management center connected with other networking devices
(such as Ethernet switches) in a network, can implement authentication, authorization,
accounting, and access management for users.
Host A
Figure 1-5 Network diagram for CAMS server
In this solution, you do not need to configure attack prevention on the access switches.
The hosts only need to pass the 802.1x authentication to access the network. You have
to specify the IP-to-MAC binding of the gateway on the CAMS server, which will provide
the binding through access switches to the hosts to prevent gateway spoofing attacks.
CAMS
IP network
Switch A
Host B
Chapter 1 ARP Attack Prevention Overview
Gateway
Swtich B
Host C
1-6
Host D