Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure the Monitor Policy of ARP Guard

Configuration Condition

None

Configure the Monitor Policy of Global ARP Guard

Table 18-4 Configure the monitor policy of the global ARP guard function

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the AARF configuration mode

aarf

-

Configure the monitor policy of the global ARP guard

arp-guard policy { filter | monitor | punish macbased}

By default, the monitor policy of the global ARP guard is monitor.

Configure the Monitor Policy of Port ARP Guard

Table 18-5 Configure the monitor policy of the port ARP guard

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2/L3 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2/L3 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

link-aggregation link-aggregation-id

Configure the monitor policy of the port ARP guard

aarf arp-guard policy { filter | monitor | punish macbased}

By default, the monitor policy of the port ARP guard is not configured, and the monitor policy of the global ARP guard takes effect.

The aarf arp-guard policy filter command is a protection policy of filtering the hosts applied to the host or port with ARP attack under the port. After configuring the filtering policy, generate the attack alarm after detecting the host with ARP over-speed or attack behavior under the port, and if the speed of the host sending ARP packets is between the speed threshold and attack threshold, the speed of the ARP packets to the CPU will be limited to the speed threshold. The ARP packets in the forwarding direction will be forwarded at the sending speed of the host; if the speed of the host sending ARP packets exceeds the attack threshold, the ARP packets to the CPU will be dropped. If detecting that the port has the overspend or attack behavior (i.e., the total rate of the port receiving the ARP packets from all non-attack hosts is greater than or equal to the port speed threshold or attack threshold), generate the attack alarm. If the total rate of the port receiving the ARP packets from the non-attack hosts is between the port speed threshold and the port attack threshold, the total rate of the port receiving the ARP packets from the non-attack hosts limits the speed of the ARP packets to the CPU by the port speed threshold, and the ARP packets to be forwarded are forwarded by the initial speed. If the total rate of the port receiving the ARP packets from non-attack hosts is greater than or equal to the port attack threshold, all ARP packets received by the port will be discarded in the forwarding direction and will not be sent to the CPU.

The aarf arp-guard policy monitor command is a protection policy of monitoring the host applied to the host or port with the ARP attack under the port. After configuring the monitoring policy, generate the attack alarm after detecting the host packet or port with ARP speeding or attack behavior is detected under the port, but the packet will be sent to the CPU at the rate of the speed limit threshold, and the ARP packet beyond the speed limit will be discarded by the CPU; the ARP packet to be forwarded will be forwarded at the initial rate.

The aarf arp-guard policy punish macbased command is a protection policy of punishing the speed limit applied to the MAC hosts with the ARP attacks under the port. After configuring the policy of punishing the speed limit, generate the attack alarm when detecting the MAC host packet with ARP speeding or attack behavior under the port. If the rate of the packets sent by the MAC host is between the speed-limit threshold and the attack threshold, the monitor policy will take effect. If the ARP packet rate is greater than or equal to the attack threshold, the MAC packets attacking the host will be sent to CPU and forwarded at half the rate of the MAC speed limit threshold. If the attack stops or the rate drops below the MAC speed limit threshold, remove the host protection policy when the aging period arrives. In addition, in this policy mode, both port and IP host use the monitor policy.