Arp attack defense configuration example ii, Network requirements, Network diagram – H3C Technologies H3C S3100 Series Switches User Manual

6

[Switch] interface Ethernet 1/0/2

[Switch-Ethernet1/0/2] arp filter source 192.168.100.1

[Switch-Ethernet1/0/2] quit

# Configure ARP packet filtering based on the gateway’s IP address on Ethernet 1/0/3.

[Switch] interface Ethernet 1/0/3

[Switch-Ethernet1/0/3] arp filter source 192.168.100.1

[Switch-Ethernet1/0/3] quit

ARP Attack Defense Configuration Example II

Network Requirements

Host A and Host B are connected to Gateway (Switch A) through a Layer 2 switch (Switch B). To

prevent ARP attacks such as ARP flooding:

z

Enable ARP packet source MAC address consistency check on Switch A to block ARP packets

with the sender MAC address different from the source MAC address in the Ethernet header.

z

Limit the number of dynamic ARP entries learned on VLAN-interface 1.

Network Diagram

Figure 1-3 Network diagram for ARP attack defense II

Switch A (Gateway)

Switch B

Host B

Host A

Vlan-int
192.168.1.1/24

Configuration Procedures

# Enter system view.

<SwitchA> system-view

# Enable ARP source MAC address consistency check.

[SwitchA] arp anti-attack valid-check enable

# Enter VLAN-interface 1 view.

[SwitchA] interface vlan-interface 1

# Configure an IP address for VLAN-interface 1.

[SwitchA-Vlan-interface1] ip address 192.168.1.1/24

# Configure the maximum number of ARP entries that can be learned by VLAN-interface 1 as 500.