Table of Contents
Advertisement
H3C Low-End Ethernet Switches Configuration Examples
ARP Attack Prevention
Chapter 2 Configuration Examples
2.1 Configuration Example for ARP Attack Prevention in
DHCP Snooping Mode
2.1.1 Network Requirements
In a campus network as shown in the following figure, hosts are connected to the
gateway and DHCP server through access switches and obtain IP addresses
dynamically. The administrator needs to configure ARP attack prevention on the
access switches to prevent ARP attacks. The network requirements are as follows:
Hosts in the campus network are located in Host area 1 (which belongs to VLAN
10) and Host area 2 (which belongs to VLAN 20) respectively, and they are
connected to the Gateway and the DHCP server through Switch A and Switch B
respectively.
A TFTP server located in Host area 1 has an IP address of 192.168.0.10/24 and a
MAC address of 000d-85c7-4e00.
To prevent ARP attacks such as gateway spoofing and spoofing gateway attacks,
enable ARP attack detection on VLAN 10 of Switch A and VLAN 20 of Switch B.
Configure Ethernet 1/0/1 on Switch A and Switch B as ARP trusted ports.
To prevent ARP flood attacks, enable ARP packet rate limit on the ports of Switch
A and Switch B which directly connected to hosts. Meanwhile, enable port state
auto-recovery on these ports and set the auto-recovery interval to 100 seconds.
Chapter 2 Configuration Examples
2-1
Advertisement
Chapters
Table of Contents
