Manualshelf

R211x-HP Flexfabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
221222223224225226227228229230
221
Configuration example
Network requirements
As shown in Figure 69, the hosts access the Internet through a gateway (Device). If malicious users send
a large number of ARP requests to the gateway, the gateway might crash and cannot process requests
from the clients. To solve this problem, configure source MAC-based ARP attack detection on the
gateway.
Figure 69 Network diagram
Configuration considerations
An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the
source MAC address. To prevent such attacks, configure the gateway in the following steps:
1. Enable source MAC-based ARP attack detection and specify the handling method as filter.
2. Set the threshold.
3. Set the lifetime for ARP attack entries.
4. Exclude the MAC address of the server from this detection.
Configuration procedure
# Enable source MAC-based ARP attack detection, and specify the handling method as filter.
<Device> system-view
[Device] arp source-mac filter
# Set the threshold to 50.
[Device] arp source-mac threshold 50
# Set the lifetime for ARP attack entries to 60 seconds.
[Device] arp source-mac aging-time 60
# Exclude MAC address 0012-3f86-e94c from this detection.
IP network
Gateway
Device
Host A Host B Host C Host D
ARP attack protection
Server
0012-3f86-e94c