Configuring ARP attack protection
Overview
Although ARP is easy to implement, it provides no security mechanism and thus is prone to network
attacks. An attacker may send:
ARP packets by acting as a trusted user or gateway, so that the receiving switch obtains incorrect
•
ARP entries.
A large number of IP packets with unreachable destinations. As a result, the receiving switch
•
continuously resolves destination IP addresses and thus its CPU is overloaded.
A large number of ARP packets to overload the CPU of the receiving device.
•
For more information about ARP attack features and types, see ARP Attack Protection Technology White
Paper.
ARP attacks and viruses are threatening LAN security. This chapter introduces switch features to detect
and prevent such attacks.
ARP attack protection configuration task list
Task
Flood prevention
User and
gateway
spoofing
prevention
Configuring ARP source
suppression
Configuring ARP
defense against
IP packet attacks
Enabling ARP black hole
routing
Configuring ARP packet rate limit
Configuring source MAC address based ARP
attack detection
Configuring ARP packet source MAC address
consistency check
Configuring ARP active acknowledgement
Configuring authorized ARP
Remarks
Optional.
Configure this function on gateways
(recommended).
Optional.
Configure this function on gateways
(recommended).
Optional.
Configure this function on access
devices (recommended).
Optional.
Configure this function on gateways
(recommended).
Optional.
Configure this function on gateways
(recommended).
Optional.
Configure this function on gateways
(recommended).
Optional.
Configure this function on gateways
(recommended).
265