Configure the Monitor Policy of ARP Guard

Configuration Condition

None

Configure the Monitor Policy of Global ARP Guard

Table 18-4 Configure the monitor policy of the global ARP guard function

Configure the Monitor Policy of Port ARP Guard

Table 18-5 Configure the monitor policy of the port ARP guard

The aarf arp-guard policy filter command is a protection policy of filtering the hosts applied to the host or port with ARP attack under the port. After configuring the filtering policy, generate the attack alarm after detecting the host with ARP over-speed or attack behavior under the port, and if the speed of the host sending ARP packets is between the speed threshold and attack threshold, the speed of the ARP packets to the CPU will be limited to the speed threshold. The ARP packets in the forwarding direction will be forwarded at the sending speed of the host; if the speed of the host sending ARP packets exceeds the attack threshold, the ARP packets to the CPU will be dropped. If detecting that the port has the overspend or attack behavior (i.e., the total rate of the port receiving the ARP packets from all non-attack hosts is greater than or equal to the port speed threshold or attack threshold), generate the attack alarm. If the total rate of the port receiving the ARP packets from the non-attack hosts is between the port speed threshold and the port attack threshold, the total rate of the port receiving the ARP packets from the non-attack hosts limits the speed of the ARP packets to the CPU by the port speed threshold, and the ARP packets to be forwarded are forwarded by the initial speed. If the total rate of the port receiving the ARP packets from non-attack hosts is greater than or equal to the port attack threshold, all ARP packets received by the port will be discarded in the forwarding direction and will not be sent to the CPU.

The aarf arp-guard policy monitor command is a protection policy of monitoring the host applied to the host or port with the ARP attack under the port. After configuring the monitoring policy, generate the attack alarm after detecting the host packet or port with ARP speeding or attack behavior is detected under the port, but the packet will be sent to the CPU at the rate of the speed limit threshold, and the ARP packet beyond the speed limit will be discarded by the CPU; the ARP packet to be forwarded will be forwarded at the initial rate.

The aarf arp-guard policy punish macbased command is a protection policy of punishing the speed limit applied to the MAC hosts with the ARP attacks under the port. After configuring the policy of punishing the speed limit, generate the attack alarm when detecting the MAC host packet with ARP speeding or attack behavior under the port. If the rate of the packets sent by the MAC host is between the speed-limit threshold and the attack threshold, the monitor policy will take effect. If the ARP packet rate is greater than or equal to the attack threshold, the MAC packets attacking the host will be sent to CPU and forwarded at half the rate of the MAC speed limit threshold. If the attack stops or the rate drops below the MAC speed limit threshold, remove the host protection policy when the aging period arrives. In addition, in this policy mode, both port and IP host use the monitor policy.