Beginning with switch software release 16.01, source MAC based ARP attack detection (ARP throttle) is supported on the following switch models covered in this guide:
-
3800 (KA software)
-
3810M (KB software)
-
5400R (KB software)
Source-MAC based ARP attack detection (ARP throttle) protects the switch CPU from ARP attacks by enabling restriction of the overall number of ARP packets the CPU receives from a given client. An ARP attack occurs when the switch receives more ARP packets from the same source MAC address than allowed by the configured threshold setting. ARP throttle uses a “remediation mode” to determine whether to simply monitor the frequency of ARP packets or actually restrict the ARP packet traffic from a given client. In cases where a device in your network is sending a large quantity of ARP packets for legitimate purposes, you can configure ARP throttling to exclude that device from being monitored.
When enabled in the default configuration, ARP throttle:
-
monitors incoming ARP packets and “blacklists” clients sending excessive ARP packets to the switch
-
maintains a count of clients sending ARP packets to the switch
When configured to filter ARP packet traffic, ARP throttle monitors ARP packet traffic as described above, and also drops ARP packets received from blacklisted clients.
Non-default ARP throttle settings persist when ARP throttle is disabled.
This command enables or disables ARP throttle operation for monitoring or filtering of ARP packets received by the switch from other devices. (Default: disabled.) Enabling ARP-throttling uses the currently configured settings to immediately invoke ARP attack monitoring and (if configured), to filter ARP packet traffic from devices transmitting excessive ARP packets.
Syntax
Options
Determines the disposition of ARP packets the switch receives.
Syntax
When ARP throttle is enabled in monitor mode (the default), the switch does the following:
-
Monitors ARP packet traffic received by the switch CPU.
-
Assigns “blacklist” status to devices generating an excessive numbers of ARP packets within a five-second period.
-
Maintains a running total of the devices from which ARP packets are being received.
When ARP throttle is enabled in filter mode, the switch drops all ARP packet traffic received from blacklisted devices while continuing to perform the above three monitor actions.
Example
Configure the switch to drop ARP packet traffic received from blacklisted devices.
Configures the time in seconds that a blacklisted device remains on the blacklist. (Default: 300 seconds.) If the switch is configured to filter ARP packets as described above, then the ARP packets received from blacklisted devices are dropped.
Syntax
Example
Configure the switch to reinstate blacklisted clients after 600 seconds on the blacklist.
Specifies the number of ARP packets per five-second period that the switch can receive from another device. (Default: 30.) Exceeding this rate places the source device on the blacklist. If the switch is configured to filter ARP packets as described for remediation mode (page yy), then the ARP packets received from blacklisted devices are dropped.
Syntax
Example
Configure the switch to blacklist a client from which it receives more than eight ARP packets in a five second period.
Excludes traffic from a device having the specified MAC address from ARP packet monitoring and filtering, and adds the MAC address to the Excluded MAC List in the output for the show ip arp-throttle command (page xx). You can exclude up to ten MAC addresses.
Syntax
Options
Where exclude-mac has been used to exclude traffic from a device having the specified MAC address for ARP packet monitoring and filtering, the no option restores ARP packet traffic from that device to IP ARP throttling, and removes the device MAC address from the Excluded MAC List .
Example
Exclude the clients having the following two MAC addresses from IP ARP-throttling, then use show ip arp-throttle to view the result in the Excluded MAC List:
-
001018-0158c8
-
01555d-c95d0a
switch(config)# ip arp-throttle exclude-mac 001018-0158c8 01555d-c95d0a switch(config)# show ip arp-throttle Source MAC Based ARP Attack Detection Information Enabled : Yes Remediation Mode : Filter Threshold (pkt) : 30 Blacklist Age (sec) : 300 Excluded MAC List ----------------- 001018-0158c8 01555d-c95d0a Clients in Blacklist : 3 Clients Being Tracked : 190
Restore the client having the MAC address 001018-0158c8 to IP ARP-throttling and then use show ip arp-throttle to view the result in the Excluded MAC List:
switch(config)# no ip arp-throttle exclude-mac 001018-0158c8 switch(config)# show ip arp-throttle Source MAC Based ARP Attack Detection Information Enabled : Yes Remediation Mode : Filter Threshold (pkt) : 30 Blacklist Age (sec) : 300 Excluded MAC List ----------------- 01555d-c95d0a Clients in Blacklist : 4 Clients Being Tracked : 189
This command shows the current ARP throttle configuration, excluded MAC list, and client statistics.
Syntax
Example
This output indicates ARP throttle is enabled, filtering ARP packets according to the default packet threshold and aging-time settings. ARP packets from a device identified as 000f20-aeaec0 are excluded from ARP throttling, and statistics indicate 4 blacklisted clients and the ARP packet traffic of 180 clients being tracked.
switch# show ip arp-throttle Source MAC Based ARP Attack Detection Information Enabled : Yes Remediation Mode : Filter Threshold (pkt) : 30 Blacklist Age (sec) : 300 Excluded MAC List ----------------- 000f20-aeaec0 Clients in Blacklist : 4 Clients Being Tracked : 180
|
|
NOTE: The “Clients in Blacklist” and “Clients being Tracked” counters shown above operate only when ARP throttle is enabled. Rebooting the switch restarts the counters from zero. Executing any of the following commands causes the switch to reset these counters to zero:
|
|
|
|
|
NOTE: If a failover occurs on a 5400R switch, the switch maintains the blacklist status of any currently blacklisted clients. However, the current list of tracked clients is cleared and restarted. |
|
|
The switch event log records an entry when ip arp-throttle blacklists a client, removes a client from the blacklist, or drops an ARP packet received from a blacklisted client. Use the show logging command to display entries for these actions.
Example
switch# show logging -r Keys: W=Warning I=Information M=Major D=Debug E=Error ---- Reverse event Log listing: Events Since Boot ---- W 02/16/16 22:57:16 02539 arpt: ST1-CMDR: Client 20fdf1-e0935b exceeds the limit of ARP packets and is blacklisted. W 02/16/16 22:57:16 02541 arpt: ST1-CMDR: An ARP packet from blacklist client 20fdf1-e0935b is dropped. (4 times in 60 seconds) W 02/16/16 22:57:03 02539 arpt: ST1-CMDR: Client d0bf9c-13c149 exceeds the limit of ARP packets and is blacklisted. I 02/16/16 21:52:05 02540 arpt: ST1-CMDR: Client 20fdf1-e0935b is moved out of blacklist due to inactivity.