19Configuring source MAC address based ARP attackdetectionIntroductionWith this feature enabled, the device checks the source MAC address of ARP packets delivered to theCPU. It detects an attack when one MAC address sends more ARP packets in five seconds than theconfigured threshold.The detection mode you set determines how the device responds to a detected attack.• Monitor mode: generates an alarm.• Filter mode: generates an alarm and filters out ARP packets from the attacking MAC source.Only ARP packets delivered to the CPU are detected.You can also configure protected MAC addresses to exclude devices such as a gateway or server fromdetection, so that they do not trigger alarms and filtering. You can set an aging timer for the protectedMAC addresses, to limit how long they are protected.A protected MAC address is no longer excluded from detection after the specified aging time expiresConfiguration procedureEnabling source MAC address based ARP attack detectionTo enable source MAC address based ARP attack detection and set the detection mode:To do… Use the command… Remarks1. Enter system view system-view —2. Enable source MAC addressbased ARP attack detectionand specify the detection modearp anti-attack source-mac {filter | monitor }RequiredDisabled by default.Configuring the thresholdTo configure the threshold:To do… Use the command… Remarks1. Enter system view system-view —2. Configure the threshold arp anti-attack source-macthreshold threshold-valueOptional50 by default