Displaying and Maintaining Source MAC Address Based ARP Attack Detection
To do...
Display attacking entries
detected
Configuring ARP Packet Source MAC Address Consistency Check
Introduction
This feature enables a gateway device to filter out ARP packets with the source MAC address in the
Ethernet header different from the sender MAC address in the ARP message, so that the gateway
device can learn correct ARP entries.
Configuration Procedure
Follow these steps to enable ARP packet source MAC address consistency check:
To do...
Enter system view
Enable ARP packet source MAC
address consistency check
Configuring ARP Active Acknowledgement
Introduction
Typically, the ARP active acknowledgement feature is configured on gateway devices to identify invalid
ARP packets.
With this feature enabled, the gateway, upon receiving an ARP packet with a different source MAC
address from that in the corresponding ARP entry, checks whether the ARP entry has been updated
within the last minute:
If yes, the gateway does not update the ARP entry;
If not, the gateway unicasts an ARP request to the source MAC address of the ARP entry.
Then,
If an ARP reply is received within five seconds, the ARP packet is ignored;
If not, the gateway unicasts an ARP request to the MAC address of the ARP packet.
Then,
If an ARP reply is received within five seconds, the gateway updates the ARP entry;
If not, the ARP entry is not updated.
Configuring the ARP Active Acknowledgement Function
Follow these steps to configure ARP active acknowledgement:
Use the command...
display arp anti-attack source-mac
[ interface interface-type interface-number ]
Use the command...
system-view
arp anti-attack valid-check
enable
1-5
Remarks
Available in any
view
Remarks
—
Required
Disabled by default.