Filter
Top Products
DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-6
dropped when the packet rate exceeds the rate-limit threshold. When the ARP packet rate
exceeds the warning threshold, it will prompt the warning messages and send the TRAP
message. The host-based attack detection can isolate the attack source.
Besides, ARP-guard is able to detect the ARP scan. ARP scan is that the source MAC address
on link layer is fixed while the source IP address is changing, or the source MAC address and
source IP address are fixed while the destination IP address is changing. DES-7200 products
only support to detect the first ARP scan (the source MAC address on link layer is fixed while
the source IP address is changing).
It is worth mentioning that ARP-guard is only for the ARP DoS attack, rather than ARP fraud or
dealing with the ARP attack problems in the network.
ARP-guard configuration commands include:
Enabling arp-guard
Configuring the isolated time
Configuring the monitored time
Configuring the monitored host limit
Host-based rate-limit and attack detection
Port-based rate-limit and attack detection
Clearing the monitored hosts
Clearing the ARP scanning list
Showing related arp-guard information
12.3.2 Enabling
ARP-guard
You can enable arp-guard in the nfpp configuration mode or in the interface configuration
mode. By default, the arp-guard is enabled.
Command Function
DES-7200# configure terminal
Enter the global configuration mode.
DES-7200(config)# nfpp
Enter the nfpp configuration mode.
DES-7200(config-nfpp)# arp-guard enable
Enable the arp-guard. By default, arp-guard is
enabled.
DES-7200(config-nfpp)# end
Return to the privileged EXEC mode.
DES-7200# configure terminal
Enter the global configuration mode.
DES-7200# interface interface-name
Enter the interface configuration mode.