ARP Anti-Attack

ARP guard (arp-guard) is a real-time monitoring function for the ARP packets to the CPU, preventing a large number of ARP packets from impacting the CPU and improving the security of the device.

ARP guard includes host-based ARP guard, port-based ARP guard and ARP scanning identification.

Host-based ARP guard counts the received ARP packets, and then, compares the statistics value with the set threshold. If exceeding the threshold, it is identified as speeding or attack. The statistics and identification are based on the source IP address/VLAN ID/port and link-layer source MAC address/VLAN ID/port.

Port-based ARP guard counts the number of the ARP packets received by the port without host attack. If exceeding the threshold set by the port, it is identified as speeding or attack. Port statistics does not include the ARP packets that have been identified as host attacks (host table entries are generated and attack protection policies are applied).

ARP scanning identification can identify two kinds of ARP scanning: the ARP scanning with fixed source MAC address and variable source IP, and the ARP scanning with fixed source MAC and source IP and variable destination IP.