Configuring ARP Security (ARP Anti-Flood)
Applicable Products and Versions
- This example applies to all models and all versions.
- For details about the mapping between software versions and switch models, see the Hardware Query Tool.
Networking Requirements
- Attackers send a large number of IP packets with unreachable destination IP addresses to the switch, leading to CPU overload.
- A user with MAC address 1-1-1 sends a large number of ARP packets with a fixed MAC address and variable IP addresses to the switch. As a result, ARP entries on the switch are exhausted and the CPU resources are insufficient to process other services.
- A user with IP address 9.9.9.2 sends a large number of ARP packets with a fixed source IP address to the switch. As a result, the CPU is overloaded and cannot process services.
Configuration Roadmap
- Configure rate limiting on ARP Miss packets based on source IP addresses. If the device consumes many resources on ARP Miss packets, other services are affected.
- When user-side attackers send a large number of IP packets with unreachable destination IP addresses to the switch, the switch undergoes ARP flood attacks.
- The switch can still process the ARP Miss packets sent by servers; therefore, communication will not be interrupted.
- Configure ARP entry limiting based on interfaces to prevent the attacks initiated by users connected to a certain interface.
Configure ARP rate limiting based on source MAC addresses and source IP addresses to prevent a large number of ARP packets with fixed source MAC address or IP address sent by attackers.
Procedure
- Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.
# Create VLAN 10, VLAN 20, and VLAN 30, add 10GE1/0/1 to VLAN 10, 10GE1/0/2 to VLAN 20, and 10GE1/0/3 to VLAN 30.
<HUAWEI> system-view [~HUAWEI] sysname Switch [*HUAWEI] commit [~Switch] vlan batch 10 20 30 [~Switch] interface 10ge 1/0/1 [~Switch-10GE1/0/1] port link-type trunk [*Switch-10GE1/0/1] port trunk allow-pass vlan 10 [*Switch-10GE1/0/1] quit [*Switch] interface 10ge 1/0/2 [*Switch-10GE1/0/2] port link-type trunk [*Switch-10GE1/0/2] port trunk allow-pass vlan 20 [*Switch-10GE1/0/2] quit [*Switch] interface 10ge 1/0/3 [*Switch-10GE1/0/3] port link-type trunk [*Switch-10GE1/0/3] port trunk allow-pass vlan 30 [*Switch-10GE1/0/3] quit [*Switch] commit
# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.
[~Switch] interface vlanif 10 [~Switch-Vlanif10] ip address 8.8.8.1 24 [*Switch-Vlanif10] quit [*Switch] interface vlanif 20 [*Switch-Vlanif20] ip address 9.9.9.1 24 [*Switch-Vlanif20] quit [*Switch] interface vlanif 30 [*Switch-Vlanif30] ip address 10.10.10.3 24 [*Switch-Vlanif30] quit [*Switch] commit
- Configure rate limit on ARP Miss packets based on the source IP address.
# Set the maximum rate of ARP Miss packets triggered by the server with the IP address 10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss packets triggered by other hosts to 20 pps.
[~Switch] arp miss anti-attack rate-limit source-ip maximum 20 [*Switch] arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40 [*Switch] commit
- Configure interface-based ARP entry limit.
# Configure that 10GE1/0/1 can dynamically learn a maximum of 20 ARP entries.
[~Switch] interface 10ge 1/0/1 [~Switch-10GE1/0/1] arp limit vlan 10 20 [*Switch-10GE1/0/1] quit [*Switch] commit
- Configure ARP rate limiting based on source MAC address or source IP address.
# Set the maximum rate of ARP packets from user (MAC address 1-1-1) to 10 pps.
[~Switch] arp anti-attack rate-limit source-mac 1-1-1 maximum 10
# Set the maximum rate of ARP packets from user (IP address 9.9.9.2) to 10 pps.
[*Switch] arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10 [*Switch] commit
Verifying the Configuration
Run the display arp anti-attack rate-limit command to check the configuration of ARP rate limiting.
[~Switch] display arp anti-attack rate-limit Global ARP packet rate limit (pps) : 0 Suppress Rate of each destination IP (pps): 500 Total number of rate-limit configuration for source IP Address : 1 Source IP Suppress Rate(pps) ------------------------------------------------------------------------------- 9.9.9.2 10 Other 50 ------------------------------------------------------------------------------- Total number of rate-limit configuration for MAC Address : 1 Source MAC Suppress Rate(pps) ------------------------------------------------------------------------------- 0001-0001-0001 10 Other 0 -------------------------------------------------------------------------------
Run the display arp limit command to check the maximum number of ARP entries that an interface can dynamically learn. Take 10GE1/0/1 as an example.
[~Switch] display arp limit interface 10ge 1/0/1 Interface VLAN Limit Learnt Threshold ----------------------------------------------------------------------------------------- 10GE4/0/1 10 20 0 - ----------------------------------------------------------------------------------------- Total:1
Run the display arp miss anti-attack rate-limit command to check the configuration of ARP Miss rate limiting.
[~Switch] display arp miss anti-attack rate-limit Global ARP miss rate limit (pps) : 3000 Total number of rate-limit configuration for source IP Address : 1 Source IP Suppress Rate(pps) ------------------------------------------------------------------------------- 10.10.10.2/32 40 Other 20 -------------------------------------------------------------------------------
Run the display arp packet statistics command to check statistics on ARP packets.
The command output differs in V100R001 and V100R002. The following shows the command output in V100R002.
[~Switch] display arp packet statistics ARP Packets Received Total: 28509 Learnt Count: 3 Discard For Entry Limit: 0 Discard For Speed Limit: 0 Discard For Proxy Suppress: 0 Discard For Other: 20861 MAC Invalid Count: 4809 ARP Packets Sent Total: 1953 Request: 1108 Reply: 845 Gratuitous ARP: 307 ARP-Miss Message Received Total: 1 Discard For Speed Limit: 0 Discard For Other: 0
In the preceding command output, the number of ARP packets and ARP Miss packets discarded by the switch is displayed, indicating that the ARP security (ARP anti-flood) function has taken effect.
Configuration File
# sysname Switch # vlan batch 10 20 30 # arp miss anti-attack rate-limit source-ip maximum 20 arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10 arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40 arp anti-attack rate-limit source-mac 0001-0001-0001 maximum 10 # interface Vlanif10 ip address 8.8.8.1 255.255.255.0 # interface Vlanif20 ip address 9.9.9.1 255.255.255.0 # interface Vlanif30 ip address 10.10.10.3 255.255.255.0 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 10 arp limit vlan 10 20 # interface 10GE1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface 10GE1/0/3 port link-type trunk port trunk allow-pass vlan 30 # return