2 arp attack defense configuration, Configuring arp active acknowledgement, Introduction – H3C Technologies H3C S5120 Series Switches User Manual

2-1

2

ARP Attack Defense Configuration

Although ARP is easy to implement, it provides no security mechanism and thus is prone to network

attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide

multiple features to detect and prevent such attacks.

Configuring ARP Active Acknowledgement

Introduction

Typically, the ARP active acknowledgement feature is configured on gateway devices to identify invalid

ARP packets.

With this feature enabled, the gateway, upon receiving an ARP packet with a different source MAC

address from that in the corresponding ARP entry, checks whether the ARP entry has been updated

within the last minute:

z

If yes, the gateway does not update the ARP entry;

z

If not, the gateway unicasts an ARP request to the source MAC address of the ARP entry.

Then,

z

If an ARP reply is received within five seconds, the ARP packet is ignored;

z

If not, the gateway unicasts an ARP request to the MAC address of the ARP packet.

Then,

z

If an ARP reply is received within five seconds, the gateway updates the ARP entry;

z

If not, the ARP entry is not updated.

Configuring the ARP Active Acknowledgement Function

Follow these steps to configure ARP active acknowledgement:

To do…

Use the command…

Remarks

Enter system view

system-view

—

Enable the ARP active
acknowledgement function

arp anti-attack active-ack
enable

Required

Disabled by default.

Configuring Source MAC Address Based ARP Attack Detection

Introduction

This feature allows the device to check the source MAC address of ARP packets. If the number of ARP

packets sent from a MAC address within five seconds exceeds the specified value, the device

considers this an attack.

Only the ARP packets delivered to the CPU are detected.