Arp/Ip Attack Defense Based On 802.1X; Configuring 802.1X-Based Arp/Ip Attack Defense - H3C S3100 Series Operation Manual

To do...
Configure the maximum
number of dynamic ARP
entries that the VLAN interface
can learn

ARP/IP Attack Defense Based on 802.1x

Overview
ARP attack detection and IP filtering implemented based on DHCP snooping entries can effectively
prevent ARP/IP attacks in a network where clients obtain IP addresses dynamically through DHCP.
However, if most of the clients are assigned with IP addresses statically, you need to configure an IP
static binding for each of such clients, which is a heavy workload and easily causes errors.
To prevent attacks in a network where most clients use statically assigned IP addresses, S3100-EI
series Ethernet switches support the feature of using IP-to-MAC bindings of authenticated 802.1x
clients (which obtain IP addresses through DHCP or manual assignment) to implement ARP attack
detection or IP filtering. The feature avoids configuring IP-MAC static bindings for clients with static IP
addresses configured.
With this feature configured for ARP attack detection, the device, after checking its DHCP snooping
and static client entries, will use the IP-MAC bindings of authenticated 802.1x clients for ARP
attack detection.
With this feature configured for IP filtering, the device will use only the IP-MAC bindings of
authenticated 802.1x clients for IP filtering.
For details about ARP attack detection, refer to ARP Operation.
For details about IP filtering and IP static binding, refer to DHCP Operation.
For details about 802.1x authentication, refer to 802.1x and System Guard Operation.

Configuring 802.1x-Based ARP/IP Attack Defense

Among the S3100 series Ethernet switches, only the S3100-EI series support 802.1x-Based ARP/IP
Attack Defense.
Use the command...
arp max-learning-num
number
3
Remarks
Optional
By default, the maximum
number of dynamic ARP
entries that the VLAN interface
can learn is not limited