4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

281

282

283

284

285

286

287

288

289

290

276

Configuring source MAC-based ARP attack

detection

This feature checks the number of ARP packets received from the same MAC address within 5 seconds

against a specific threshold. If the threshold is exceeded, the device adds the MAC address in an ARP

attack entry. Before the entry is aged out, the device handles the attack by using either of the following

methods:

• Monitor—Only generates log messages.

• Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.

You can exclude the MAC addresses of some gateways and servers from this detection. This feature does

not inspect ARP packets from those devices even if they are attackers.

Configuration procedure

To configure source MAC-based ARP attack detection:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enable source MAC-based

ARP attack detection and

specify the handling method.

arp source-mac { filter | monitor } By default, this feature is disabled.

3. Configure the threshold.

arp source-mac threshold

threshold-value

By default, the threshold is 30.

4. Configure the aging timer for

ARP attack entries.

arp source-mac aging-time time

By default, the lifetime is 300

seconds.

5. (Optional.) Exclude specified

MAC addresses from this

detection.

arp source-mac exclude-mac

mac-address&<1-n>

By default, no MAC address is

excluded.

The value of n is 64.

NOTE:

hen an ARP attack entry expires, ARP packets sourced from the MAC address in the entry can be

processed correctly.

Displaying and maintaining source MAC-based ARP attack

detection

Execute display commands in any view.

Task Command

Display ARP attack entries detected by source

MAC-based ARP attack detection

(MSR2000/MSR3000).

display arp source-mac [ interface interface-type

interface-number ]