The configuration of arp attack detection and packet rate limit on H3C S3100-EI

The configuration of arp attack detection and packet rate limit on H3C S3100-EI

 

I            Requirement for the diagram

As shown in the following topology, Ethernet1/0/1 of Switch A (S3100-EI) connects to DHCP Server; Ethernet1/0/2 connects to Client A, Ethernet1/0/3 connects to Client B. Ethernet1/0/1, Ethernet1/0/2 and Ethernet1/0/3 belong to VLAN 1.

(1)Enable DHCP snooping on Switch A and specify Ethernet1/0/1 as the DHCP snooping trusted port.

(2)Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks, and specify Ethernet1/0/1 as the ARP trusted port.

(3)Enable the ARP packet rate limit function on Ethernet1/0/2 and Ethernet1/0/3 of Switch A, so as to prevent Client A and Client B from attacking Switch A through ARP traffic.

(4)Enable the port state auto recovery function on the ports of Switch A, and set the recovery interval to 200 seconds.

II          Network topology

III        Steps of configuration

# Enable DHCP snooping on Switch A.

<SwitchA> system-view

[SwitchA] dhcp-snooping

# Specify Ethernet1/0/1 as the DHCP snooping trusted port and the ARP trusted port.

[SwitchA] interface Ethernet1/0/1

[SwitchA-Ethernet1/0/1] dhcp-snooping trust

[SwitchA-Ethernet1/0/1] arp detection trust

[SwitchA-Ethernet1/0/1] quit

# Enable ARP attack detection on all ports in VLAN 1.

[SwitchA] vlan 1

[SwitchA-vlan1] arp detection enable

[SwitchA-vlan1] quit

# Enable the ARP packet rate limit function on Ethernet1/0/2, and set the maximum ARP packet rate allowed on the port to 20 pps.

[SwitchA] interface Ethernet1/0/2

[SwitchA-Ethernet1/0/2] arp rate-limit enable

[SwitchA-Ethernet1/0/2] arp rate-limit 20

[SwitchA-Ethernet1/0/2] quit

# Enable the ARP packet rate limit function on Ethernet1/0/3, and set the maximum ARP packet rate allowed on the port to 50 pps.

[SwitchA] interface Ethernet1/0/3

[SwitchA-Ethernet1/0/3] arp rate-limit enable

[SwitchA-Ethernet1/0/3] arp rate-limit 50

[SwitchA-Ethernet1/0/3] quit

# Configure the port state auto recovery function, and set the recovery interval to 200 seconds.

[SwitchA] arp protective-down recover enable

[SwitchA] arp protective-down recover interval 200

IV       Key notes in the configuration

No