Arp Attack Detection And Packet Rate Limit Configuration Example - H3C S5600 Series Operation Manual
Hide thumbs
Also See for H3C S5600 Series:
- Operation manual (1218 pages) ,
- Configuration (313 pages) ,
- Operation manual (1096 pages)
Table of Contents
Advertisement
Operation Manual – ARP
H3C S5600 Series Ethernet Switches
Disable VLAN-interface 1 of the switch from sending gratuitous ARP packets
periodically.
Set the aging time for dynamic ARP entries to 10 minutes.
Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address
being 000f-e201-0000, and the outbound port being GigabitEthernet 1/0/10 of
VLAN 1.
II. Configuration procedure
<Sysname> system-view
[Sysname] undo arp check enable
[Sysname] interface vlan 1
[Sysname-Vlan-interface1] undo gratuitous-arp period-resending enable
[Sysname-Vlan-interface1] quit
[Sysname] arp timer aging 10
[Sysname] arp static 192.168.1.1 000f-e201-0000 1 GigabitEthernet1/0/10
1.5.2 ARP Attack Detection and Packet Rate Limit Configuration Example
I. Network requirements
As shown in
GigabitEthernet 1/0/2 connects to Client A, GigabitEthernet 1/0/3 connects to Client B.
GigabitEthernet 1/0/1, GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 belong to VLAN
1.
Enable DHCP snooping on Switch A and specify GigabitEthernet 1/0/1 as the
DHCP snooping trusted port.
Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks,
and specify GigabitEthernet 1/0/1 as the ARP trusted port.
Enable the ARP packet rate limit function on GigabitEthernet 1/0/2 and
GigabitEthernet 1/0/3 of Switch A, so as to prevent Client A and Client B from
attacking Switch A through ARP traffic.
Enable the port state auto recovery function on the ports of Switch A, and set the
recovery interval to 200 seconds.
Figure
1-4, GigabitEthernet 1/0/1 of Switch A connects to DHCP Server;
1-12
Chapter 1 ARP Configuration
Advertisement
Chapters
Table of Contents
Troubleshooting
