Configuring ARP Security (ARP Anti-Spoofing)
Applicable Products and Versions
- This example applies to all models and all versions.
- For details about the mapping between software versions and switch models, see the Hardware Query Tool.
Networking Requirements
As shown in Figure 2-58, the switch connects to a server through 10GE1/0/3 and connects to users in VLAN 10 and VLAN 20 through 10GE1/0/1 and 10GE1/0/2. Attackers send bogus ARP packets or bogus gratuitous ARP packets to the switch to modify the ARP entries on the switch. As a result, authorized users cannot send and receive data packets.
The administrator wants to prevent the preceding ARP spoofing attacks and provide users with stable services on a secure network.
Configuration Roadmap
- Configure strict ARP learning and fixed ARP to prevent ARP entries from being modified by bogus ARP packets.
- Configure gratuitous ARP packets discarding to prevent ARP entries from being modified by bogus gratuitous ARP packets.
Procedure
- Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.
# Create VLAN 10, VLAN 20, and VLAN 30, add 10GE1/0/1 to VLAN 10, 10GE1/0/2 to VLAN 20, and 10GE1/0/3 to VLAN 30.
<HUAWEI> system-view [~HUAWEI] sysname Switch [*HUAWEI] commit [~Switch] vlan batch 10 20 30 [~Switch] interface 10ge 1/0/1 [~Switch-10GE1/0/1] port link-type trunk [*Switch-10GE1/0/1] port trunk allow-pass vlan 10 [*Switch-10GE1/0/1] quit [*Switch] interface 10ge 1/0/2 [*Switch-10GE1/0/2] port link-type trunk [*Switch-10GE1/0/2] port trunk allow-pass vlan 20 [*Switch-10GE1/0/2] quit [*Switch] interface 10ge 1/0/3 [*Switch-10GE1/0/3] port link-type trunk [*Switch-10GE1/0/3] port trunk allow-pass vlan 30 [*Switch-10GE1/0/3] quit [*Switch] commit
# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.
[~Switch] interface vlanif 10 [~Switch-Vlanif10] ip address 8.8.8.1 24 [*Switch-Vlanif10] quit [*Switch] interface vlanif 20 [*Switch-Vlanif20] ip address 9.9.9.1 24 [*Switch-Vlanif20] quit [*Switch] interface vlanif 30 [*Switch-Vlanif30] ip address 10.10.10.3 24 [*Switch-Vlanif30] quit [*Switch] commit
- Configure strict ARP learning.
[~Switch] arp learning strict
- Configure fixed ARP.
# Enable the fixed-mac mode.
[*Switch] arp anti-attack entry-check fixed-mac enable
- Configure gratuitous ARP packet discarding.
[*Switch] arp anti-attack gratuitous-arp drop [*Switch] commit
Verifying the Configuration
Run the display arp learning strict command to check the global configuration of strict ARP entry learning.
[~Switch] display arp learning strict The global arp learning strict state:enable Interface LearningStrictState ------------------------------------------------------------ ------------------------------------------------------------ Total:0 Force-enable:0 Force-disable:0
Run the display arp anti-attack entry-check command to check the configuration of fixed ARP.
[~Switch] display arp anti-attack entry-check Vlanif Mode ------------------------------------------------------------------------------- All fix-mac -------------------------------------------------------------------------------
Run the display arp packet statistics command to check statistics on ARP packets.
[~Switch] display arp packet statistics ARP Packets Received Total: 9253 Learnt Count: 2 Discard For Entry Limit: 0 Discard For Speed Limit: 0 Discard For Proxy Suppress: 0 Discard For Other: 0 ARP Packets Sent Total: 3359 Request: 453 Reply: 2906 Gratuitous ARP: 303 ARP-Miss Message Received Total: 16 Discard For Speed Limit: 0 Discard For Other: 0
In the preceding command output, the number of ARP packets discarded by the switch is displayed, indicating that the ARP security (ARP anti-spoofing) function has taken effect.
Configuration File
# sysname Switch # vlan batch 10 20 30 # arp learning strict arp anti-attack entry-check fixed-mac enable arp anti-attack gratuitous-arp drop # interface Vlanif10 ip address 8.8.8.1 255.255.255.0 # interface Vlanif20 ip address 9.9.9.1 255.255.255.0 # interface Vlanif30 ip address 10.10.10.3 255.255.255.0 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface 10GE1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface 10GE1/0/3 port link-type trunk port trunk allow-pass vlan 30 # return