Arp Attack Defense Configuration Example Ii - H3C S3100 Series Operation Manual
H3c s3100 series ethernet switches operation manual
Hide thumbs
Also See for S3100 Series:
- Command manual (1244 pages) ,
- Installation manual (94 pages) ,
- Operation manual (32 pages)
Table of Contents
Advertisement
[Switch] interface Ethernet 1/0/2
[Switch-Ethernet1/0/2] arp filter source 192.168.100.1
[Switch-Ethernet1/0/2] quit
# Configure ARP packet filtering based on the gateway's IP address on Ethernet 1/0/3.
[Switch] interface Ethernet 1/0/3
[Switch-Ethernet1/0/3] arp filter source 192.168.100.1
[Switch-Ethernet1/0/3] quit
ARP Attack Defense Configuration Example II
Network Requirements
Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B). To
prevent ARP attacks such as ARP flooding:
Enable ARP packet source MAC address consistency check on Switch A to block ARP packets
with the sender MAC address different from the source MAC address in the Ethernet header.
Limit the number of dynamic ARP entries learned on VLAN-interface 1.
Network Diagram
Figure 1-3 Network diagram for ARP attack defense II
Switch A (Gateway)
Host A
Configuration Procedures
# Enter system view.
<SwitchA> system-view
# Enable ARP source MAC address consistency check.
[SwitchA] arp anti-attack valid-check enable
# Enter VLAN-interface 1 view.
[SwitchA] interface vlan-interface 1
# Configure an IP address for VLAN-interface 1.
[SwitchA-Vlan-interface1] ip address 192.168.1.1/24
# Configure the maximum number of ARP entries that can be learned by VLAN-interface 1 as 500.
Vlan-int
192.168.1.1/24
Switch B
Host B
6
Advertisement
Chapters
Table of Contents
Troubleshooting
