No relevant resource is found in the selected language.
MENU
Support Documentation
CloudEngine 16800, 12800, 9800, 8800, 7800, 6800, and 5800 Series Switches Typical Configuration Examples (V100 and V200)
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ARP Security (ARP Anti-Spoofing)

Configuring ARP Security (ARP Anti-Spoofing)

Applicable Products and Versions

  • This example applies to all models and all versions.
  • For details about the mapping between software versions and switch models, see the Hardware Query Tool.

Networking Requirements

As shown in Figure 2-58, the switch connects to a server through 10GE1/0/3 and connects to users in VLAN 10 and VLAN 20 through 10GE1/0/1 and 10GE1/0/2. Attackers send bogus ARP packets or bogus gratuitous ARP packets to the switch to modify the ARP entries on the switch. As a result, authorized users cannot send and receive data packets.

The administrator wants to prevent the preceding ARP spoofing attacks and provide users with stable services on a secure network.

Figure 2-58 Diagram for configuring ARP security

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure strict ARP learning and fixed ARP to prevent ARP entries from being modified by bogus ARP packets.
  2. Configure gratuitous ARP packets discarding to prevent ARP entries from being modified by bogus gratuitous ARP packets.

Procedure

  1. Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.

    # Create VLAN 10, VLAN 20, and VLAN 30, add 10GE1/0/1 to VLAN 10, 10GE1/0/2 to VLAN 20, and 10GE1/0/3 to VLAN 30.

    <HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan batch 10 20 30
[~Switch] interface 10ge 1/0/1
[~Switch-10GE1/0/1] port link-type trunk
[*Switch-10GE1/0/1] port trunk allow-pass vlan 10
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port link-type trunk
[*Switch-10GE1/0/2] port trunk allow-pass vlan 20
[*Switch-10GE1/0/2] quit
[*Switch] interface 10ge 1/0/3
[*Switch-10GE1/0/3] port link-type trunk
[*Switch-10GE1/0/3] port trunk allow-pass vlan 30
[*Switch-10GE1/0/3] quit
[*Switch] commit

    # Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.

    [~Switch] interface vlanif 10
[~Switch-Vlanif10] ip address 8.8.8.1 24
[*Switch-Vlanif10] quit
[*Switch] interface vlanif 20
[*Switch-Vlanif20] ip address 9.9.9.1 24
[*Switch-Vlanif20] quit
[*Switch] interface vlanif 30
[*Switch-Vlanif30] ip address 10.10.10.3 24
[*Switch-Vlanif30] quit
[*Switch] commit

  2. Configure strict ARP learning.

    [~Switch] arp learning strict

  3. Configure fixed ARP.

    # Enable the fixed-mac mode.

    [*Switch] arp anti-attack entry-check fixed-mac enable

  4. Configure gratuitous ARP packet discarding.

    [*Switch] arp anti-attack gratuitous-arp drop
[*Switch] commit

Verifying the Configuration

  1. Run the display arp learning strict command to check the global configuration of strict ARP entry learning.

    [~Switch] display arp learning strict
 The global arp learning strict state:enable
 Interface                           LearningStrictState
------------------------------------------------------------
------------------------------------------------------------
 Total:0      Force-enable:0      Force-disable:0

  2. Run the display arp anti-attack entry-check command to check the configuration of fixed ARP.

    [~Switch] display arp anti-attack entry-check
Vlanif      Mode                                                                
------------------------------------------------------------------------------- 
  All        fix-mac                                                            
-------------------------------------------------------------------------------

  3. Run the display arp packet statistics command to check statistics on ARP packets.

    [~Switch] display arp packet statistics
ARP Packets Received                                                            
  Total:                             9253                                       
  Learnt Count:                         2                                       
  Discard For Entry Limit:              0                                       
  Discard For Speed Limit:              0                                       
  Discard For Proxy Suppress:           0                                       
  Discard For Other:                    0                                       
ARP Packets Sent                                                                
  Total:                             3359                                       
  Request:                            453                                       
  Reply:                             2906                                       
  Gratuitous ARP:                     303                                       
ARP-Miss Message Received                                                       
  Total:                               16                                       
  Discard For Speed Limit:              0                                       
  Discard For Other:                    0

    In the preceding command output, the number of ARP packets discarded by the switch is displayed, indicating that the ARP security (ARP anti-spoofing) function has taken effect.

Configuration File

#                                                                               
sysname Switch
#                                                                               
vlan batch 10 20 30
#                                                                               
arp learning strict 
arp anti-attack entry-check fixed-mac enable                                    
arp anti-attack gratuitous-arp drop                
# 
interface Vlanif10                                                              
 ip address 8.8.8.1 255.255.255.0                                               
#   
interface Vlanif20                                                              
 ip address 9.9.9.1 255.255.255.0                                               
#   
interface Vlanif30                                                              
 ip address 10.10.10.3 255.255.255.0                                               
#   
interface 10GE1/0/1                                                             
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                  
# 
interface 10GE1/0/2                                                             
 port link-type trunk                                                           
 port trunk allow-pass vlan 20                                            
#                                                                               
interface 10GE1/0/3                                                             
 port link-type trunk                                                           
 port trunk allow-pass vlan 30                                             
#   
return
Translation
Español Français 日本語 Русский 简体中文
Download
Updated: 2020-12-24

Document ID: EDOC1000039339

Views: 308372

Downloads: 9323

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Enterprise APP

Copyright © 2021 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :