Configuring source MAC address based ARP attack detection

With this feature enabled, the device checks the source MAC address of ARP packets delivered to the CPU. It detects an attack when one MAC address sends more ARP packets in 5 seconds than the specified threshold. The device adds the MAC address to the attack detection table.

Before the attack detection entry is aged out, the device uses either of the following detection modes to respond to the detected attack:

You can also configure protected MAC addresses to exclude a gateway or server from detection. A protected MAC address is excluded from ARP attack detection even if it is an attacker.