37-9
n
Network diagram
Figure 37-3
ARP attack detection and packet rate limit configuratio
Configuration procedure
# Enable DHCP snooping on Switch A.
<SwitchA> system-view
[SwitchA] dhcp-snooping
# Specify Ethernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port.
[SwitchA] interface Ethernet 1/0/1
[SwitchA-Ethernet1/0/1] dhcp-snooping trust
[SwitchA-Ethernet1/0/1] arp detection trust
[SwitchA-Ethernet1/0/1] quit
# Enable ARP attack detection on all ports in VLAN 1.
[SwitchA] vlan 1
[SwitchA-vlan1] arp detection enable
# Enable the ARP packet rate limit function on Ethernet 1/0/2, and set the maximum ARP packet rate
allowed on the port to 20 pps.
[SwitchA] interface Ethernet 1/0/2
[SwitchA-Ethernet1/0/2] arp rate-limit enable
[SwitchA-Ethernet1/0/2] arp rate-limit 20
[SwitchA-Ethernet1/0/2] quit
# Enable the ARP packet rate limit function on Ethernet 1/0/3, and set the maximum ARP packet rate
allowed on the port to 50 pps.
[SwitchA] interface Ethernet 1/0/3
[SwitchA-Ethernet1/0/3] arp rate-limit enable
[SwitchA-Ethernet1/0/3] arp rate-limit 50
[SwitchA-Ethernet1/0/3] quit
# Configure the port state auto recovery function, and set the recovery interval to 200 seconds.
[SwitchA] arp protective-down recover enable
[SwitchA] arp protective-down recover interval 200