DES-7200 Configuration Guide Chapter 12 NFPP Configuration
12-13
Command Function
DES-7200(config-if)#nfpp arp-guard poli
cy {per-src-ip | per-src-mac} rate-limit-p
ps attack-threshold-pps
Configure the rate-limit and attack threshold on the
specified interface.
rate-limit-pps: set the rate-limit threshold. The valid
range is 1-9999 and by default, it adopts the global
rate-limit threshold value.
attack-threshold-pps: set the attack threshold. The
valid range is 1-9999 and by default, it adopts the
global attack threshold value.
per-src-ip: to detect the hosts based on the source
IP/VID/port;
per-src-mac: to detect the hosts based on the
source MAC/VID/port on the link layer.
DES-7200(config-if)#nfpp arp-guard sca
n-threshold pkt-cnt
Configure the arp-guard scan threshold value on
each interface, the valid range is 1-9999, in 10s. By
default, it adopts the global arp-guard scan threshold
value.
DES-7200(config-if)# end
Return to the privileged EXEC mode.
DES-7200# show nfpp arp-guard
summary
Show the arp-guard parameter settings.
DES-7200# copy running-config
startup-config
Save the configurations.
12.3.7 Port-based
rate-limit and
attack detection
You can configure the arp-guard rate limt and attack threshold on the port. The rate limit value
must be less than the attack threshold value. When the ARP packet rate on a port exceeds the
limit, the ARP packets are dropped. When the ARP packet rate on a port exceeds the attack
threshold limit, the CLI prompts and the TRAP packets are sent.
It prompts the following message when the ARP DoS attack was detected on a port:
%NFPP_ARP_GUARD-4-PORT_ATTACKED: ARP DoS attack was detected on port Gi4/1.
(2009-07-01 13:00:00)
The following is additional information of the sent TRAP packet :
ARP DoS attack was detected on port Gi4/1.