Configuration example
Network requirements
As shown in Figure 106, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway may crash and cannot process requests from the clients. To solve this problem, configure source MAC address based ARP attack detection on the gateway.
Figure 106: Network diagram
Configuration considerations
An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address. To prevent such attacks, configure the gateway in the following steps:
Enable source MAC address based ARP attack detection and specify the filter mode.
Set the threshold.
Set the age timer for detection entries.
Configure the MAC address of the server as a protected MAC address so that it can send ARP packets
Configuration procedure
# Enable source MAC address based ARP attack detection and specify the filter mode.
<Device> system-view [Device] arp anti-attack source-mac filter
# Set the threshold to 30.
[Device] arp anti-attack source-mac threshold 30
# Set the age timer for detection entries to 60 seconds.
[Device] arp anti-attack source-mac aging-time 60
# Configure 0012-3f86-e94c as a protected MAC address.
[Device] arp anti-attack source-mac exclude-mac 0012-3f86-e94c