For S series switches, what ARP attack defense methods can be used on packets with the same source IP address

8

For S series switches:
If excessive protocol packets are sent to the CPU, the CPU may be overloaded. Therefore, the switch limits the rate of ARP packets sent to the CPU and has default attack defense policies configured. To view ARP attack defense methods, run the display arp anti-attack configuration all command.

Other related questions:
For S series switches, what ARP attack defense methods can be used on packets with the same source IP address
For S series switches: If excessive protocol packets are sent to the CPU, the CPU may be overloaded. Therefore, the switch limits the rate of ARP packets sent to the CPU and has default attack defense policies configured. To view ARP attack defense methods, run the display arp anti-attack configuration all command.

How to configure ARP attack defense on S series switches
For S series switches (except S1700 switches), you can configure ARP security to prevent ARP attacks. A switch may receive a large number of ARP packets when acting as a gateway. In this case, configure ARP security on the switch to protect the gateway. For example, configure the rate limit on ARP packets and ARP Miss messages to prevent ARP flood attacks. E series switches do not support the rate limit on ARP Miss messages. Common ARP attacks include: ARP flood attack is also called Denial of Service (DoS) attack. ARP spoofing attack: An attacker sends bogus ARP packets to network devices. The devices then modify ARP entries, causing communication failures. ARP security protects network devices against ARP attacks by learning ARP entries, limiting the ARP packet rate, and checking ARP packets. In addition to preventing ARP protocol attacks, ARP security also prevents ARP-based network scanning attacks.

After ARP attack defense is configured on S series switches, whether the device can defend against ARP attacks
For S series switches, the ARP attack defense function can only defend against appropriate ARP attacks after it is configured. For example: The rate limit on ARP Miss messages can only mitigate the impact of ARP Miss attacks, but cannot shield them. Also, ARP packet attacks and ARP spoofing attacks cannot be prevented. ARP gateway anti-collision can only defend against attacks from bogus gateways, but cannot shield ARP flood attacks and ARP gateway spoofing attacks.

Can an S series switches forward a packet if both the source and destination IP addresses of the packet are multicast addresses
The S5710-C-LI or S5700SI drops packets whose source and destination IP addresses are both multicast addresses. Other switches broadcast such packets in a VLAN.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top