About source MAC-based ARP attack detection

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device generates an ARP attack entry for the MAC address. If the ARP logging feature is enabled, the device handles the attack by using either of the following methods before the ARP attack entry ages out:

To enable the ARP logging feature, use the arp check log enable command. For information about the ARP logging feature, see ARP in Layer 3—IP Services Configuration Guide.

When an ARP attack entry ages out, ARP packets sourced from the MAC address in the entry can be processed correctly.