Configuring source MAC-based ARP attack detection

This feature checks the number of ARP packets received from the same MAC address within five seconds against a specified threshold. If the threshold is exceeded, the device adds the MAC address in an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the following methods:

You can exclude the MAC addresses of some gateways and servers from detection. This feature will not inspect ARP packets from those devices even if they are attackers.

To configure source MAC-based ARP attack detection:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable source MAC-based ARP attack detection and specify the handling method.

arp anti-attack source-mac { filter | monitor }

Disabled by default.

3. Configure the threshold.

arp anti-attack source-mac threshold threshold-value

Optional.

By default, the threshold is 50.

4. Configure the lifetime for ARP attack entries.

arp anti-attack source-mac aging-time time

Optional.

300 seconds by default.

5. Configure excluded MAC addresses.

arp anti-attack source-mac exclude-mac mac-address&<1-10>

Optional.

No MAC address is excluded by default.

After an ARP attack detection entry expires, ARP packets sourced from the MAC address in the entry can be processed normally.