2-8
To do…
Use the command…
Remarks
Enter Ethernet port view
interface interface-type
interface-number
—
Enable the ARP packet rate
limit function
arp rate-limit enable
Required
By default, the ARP packet rate
limit function is disabled on a
port.
Configure the maximum ARP
packet rate allowed on the port
arp rate-limit rate
Optional
By default, the maximum ARP
packet rate allowed on a port is
15 pps.
Quit to system view
quit
—
Enable the port state
auto-recovery function
arp protective-down recover
enable
Optional
Disabled by default.
Configure the port state
auto-recovery interval
arp protective-down recover
interval interval
Optional
By default, when the port state
auto-recovery function is
enabled, the port state
auto-recovery interval is 300
seconds.
z
You need to enable the port state auto-recovery feature before you can configure the port state
auto-recovery interval.
z
You are not recommended to configure the ARP packet rate limit function on the ports of a fabric or
an aggregation group.
ARP Attack Defense Configuration Example
ARP Attack Defense Configuration Example I
Network requirements
As shown in
Figure 2-3
, Ethernet 1/0/1 of Switch A connects to DHCP Server; Ethernet 1/0/2 connects
to Client A, Ethernet 1/0/3 connects to Client B. Ethernet 1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3
belong to VLAN 1.
z
Enable DHCP snooping on Switch A and specify Ethernet 1/0/1 as the DHCP snooping trusted
port.
z
Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks, and specify
Ethernet 1/0/1 as the ARP trusted port.
z
Enable the ARP packet rate limit function on Ethernet 1/0/2 and Ethernet 1/0/3 of Switch A, so as to
prevent Client A and Client B from attacking Switch A through ARP traffic.
z
Enable the port state auto recovery function on the ports of Switch A, and set the recovery interval
to 200 seconds.