Arp Attack Detection And Packet Rate Limit Configuration Example - H3C S3100 Series Operation Manual

Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address being
000f-e201-0000, and the outbound port being Ethernet1/0/10 of VLAN 1.
Configuration procedure
<Sysname> system-view
[Sysname] undo arp check enable
[Sysname] arp timer aging 10
[Sysname] arp static 192.168.1.1 000f-e201-0000 1 Ethernet1/0/10

ARP Attack Detection and Packet Rate Limit Configuration Example

Network requirements
As shown in Figure
connects to Client A, Ethernet1/0/3 connects to Client B. Ethernet1/0/1, Ethernet1/0/2 and
Ethernet1/0/3 belong to VLAN 1.
Enable DHCP snooping on Switch A and specify Ethernet1/0/1 as the DHCP snooping trusted port.
Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks, and specify
Ethernet1/0/1 as the ARP trusted port.
Enable the ARP packet rate limit function on Ethernet1/0/2 and Ethernet1/0/3 of Switch A, so as to
prevent Client A and Client B from attacking Switch A through ARP traffic.
Enable the port state auto recovery function on the ports of Switch A, and set the recovery interval
to 200 seconds.
Network diagram
Figure 1-4 ARP attack detection and packet rate limit configuration
Configuration procedure
# Enable DHCP snooping on Switch A.
<SwitchA> system-view
[SwitchA] dhcp-snooping
# Specify Ethernet1/0/1 as the DHCP snooping trusted port and the ARP trusted port.
[SwitchA] interface Ethernet1/0/1
[SwitchA-Ethernet1/0/1] dhcp-snooping trust
1-4, Ethernet1/0/1 of Switch A (S3100-EI) connects to DHCP Server; Ethernet1/0/2
1-10