H3C S5600 Series Operation Manual page 644

Network diagram
Figure 2-3 ARP attack detection and packet rate limit configuration
Configuration procedure
# Enable DHCP snooping on Switch A.
<SwitchA> system-view
[SwitchA] dhcp-snooping
# Specify GigabitEthernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port.
[SwitchA] interface GigabitEthernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] dhcp-snooping trust
[SwitchA-GigabitEthernet1/0/1] arp detection trust
[SwitchA-GigabitEthernet1/0/1] quit
# Enable ARP attack detection on all ports in VLAN 1.
[SwitchA] vlan 1
[SwitchA-vlan1] arp detection enable
# Enable the ARP packet rate limit function on GigabitEthernet 1/0/2, and set the maximum ARP packet
rate allowed on the port to 20 pps.
[SwitchA] interface GigabitEthernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] arp rate-limit enable
[SwitchA-GigabitEthernet1/0/2] arp rate-limit 20
[SwitchA-GigabitEthernet1/0/2] quit
# Enable the ARP packet rate limit function on GigabitEthernet 1/0/3, and set the maximum ARP packet
rate allowed on the port to 50 pps.
[SwitchA] interface GigabitEthernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] arp rate-limit enable
[SwitchA-GigabitEthernet1/0/3] arp rate-limit 50
[SwitchA-GigabitEthernet1/0/3] quit
# Configure the port state auto recovery function, and set the recovery interval to 200 seconds.
[SwitchA] arp protective-down recover enable
[SwitchA] arp protective-down recover interval 200
2-9