Arp attack defense configuration, Overview, Configuring arp detection – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

221

ARP attack defense configuration

Overview

Although ARP is easy to implement, it provides no security mechanism and thus is prone to network

attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple
features to detect and prevent such attacks. This chapter mainly introduces these features.
With ARP detection enabled for a specific VLAN, ARP messages arriving on any interface in the VLAN

are redirected to the CPU to have their sender MAC and IP addresses checked. ARP messages that pass

the check are forwarded; otherwise, they are discarded.

NOTE:

For more information about ARP attack protection configuration, see

H3C WX3000E Series Wireless

Switches Switching Engine Configuration Guide.

Configuring ARP detection

NOTE:

If both the ARP detection based on specified objects and the ARP detection based on static IP Source
Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses are

enabled, the former one applies first, and then the latter applies.

1.

Select Network > ARP Anti-Attack from the navigation tree to enter the default ARP Detection page
shown in

Figure 197

.

Figure 197 ARP Detection configuration page

2.

Configure ARP detection as described in

Table 68

.