To do...
Enable the ARP packet rate
limit function
Configure the maximum ARP
packet rate allowed on the port
Quit to system view
Enable the port state
auto-recovery function
Configure the port state
auto-recovery interval
You need to enable the port state auto-recovery feature before you can configure the port state
auto-recovery interval.
You are not recommended to configure the ARP packet rate limit function on the ports of a fabric or
an aggregation group.
ARP Attack Defense Configuration Example
ARP Attack Defense Configuration Example I
Network requirements
As shown in
Figure
to Client A, Ethernet 1/0/3 connects to Client B. Ethernet 1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3
belong to VLAN 1.
Enable DHCP snooping on Switch A and specify Ethernet 1/0/1 as the DHCP snooping trusted
port.
Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks, and specify
Ethernet 1/0/1 as the ARP trusted port.
Enable the ARP packet rate limit function on Ethernet 1/0/2 and Ethernet 1/0/3 of Switch A, so as to
prevent Client A and Client B from attacking Switch A through ARP traffic.
Enable the port state auto recovery function on the ports of Switch A, and set the recovery interval
to 200 seconds.
Use the command...
arp rate-limit enable
arp rate-limit rate
quit
arp protective-down recover
enable
arp protective-down recover
interval interval
37-3, Ethernet 1/0/1 of Switch A connects to DHCP Server; Ethernet 1/0/2 connects
37-8
Remarks
Required
By default, the ARP packet rate
limit function is disabled on a
port.
Optional
By default, the maximum ARP
packet rate allowed on a port is
15 pps.
—
Optional
Disabled by default.
Optional
By default, when the port state
auto-recovery function is
enabled, the port state
auto-recovery interval is 300
seconds.