Configuring ARP Security (ARP Anti-Flood)
Applicable Products and Versions
This example applies to the CE12800/CE6800/CE5800 V100R001C00 or later.
This example applies to the CE7800 V100R003C00 or later.
This example applies to the CE8800 V100R006C00 or later.
This example applies to the CE12800E V200R002C50 or later.
Networking Requirements
- Attackers send a large number of IP packets with unreachable destination IP addresses to the switch, leading to CPU overload.
- A user with MAC address 1-1-1 sends a large number of ARP packets with a fixed MAC address and variable IP addresses to the switch. As a result, ARP entries on the switch are exhausted and the CPU resources are insufficient to process other services.
- A user with IP address 9.9.9.2 sends a large number of ARP packets with a fixed source IP address to the switch. As a result, the CPU is overloaded and cannot process services.
Configuration Roadmap
- Configure rate limiting on ARP Miss packets based on source IP
addresses. If the device consumes many resources on ARP Miss packets,
other services are affected.
- When user-side attackers send a large number of IP packets with unreachable destination IP addresses to the switch, the switch undergoes ARP flood attacks.
- The switch can still process the ARP Miss packets sent by servers; therefore, communication will not be interrupted.
- Configure ARP entry limiting based on interfaces to prevent the attacks initiated by users connected to a certain interface.
Configure ARP rate limiting based on source MAC addresses and source IP addresses to prevent a large number of ARP packets with fixed source MAC address or IP address sent by attackers.
Procedure
- Create VLANs, add interfaces to the VLANs, and configure
VLANIF interfaces.
# Create VLAN 10, VLAN 20, and VLAN 30, add 10GE1/0/1 to VLAN 10, 10GE1/0/2 to VLAN 20, and 10GE1/0/3 to VLAN 30.
<HUAWEI> system-view [~HUAWEI] sysname Switch [*HUAWEI] commit [~Switch] vlan batch 10 20 30 [~Switch] interface 10ge 1/0/1 [~Switch-10GE1/0/1] port link-type trunk [*Switch-10GE1/0/1] port trunk allow-pass vlan 10 [*Switch-10GE1/0/1] quit [*Switch] interface 10ge 1/0/2 [*Switch-10GE1/0/2] port link-type trunk [*Switch-10GE1/0/2] port trunk allow-pass vlan 20 [*Switch-10GE1/0/2] quit [*Switch] interface 10ge 1/0/3 [*Switch-10GE1/0/3] port link-type trunk [*Switch-10GE1/0/3] port trunk allow-pass vlan 30 [*Switch-10GE1/0/3] quit [*Switch] commit
# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.
[~Switch] interface vlanif 10 [~Switch-Vlanif10] ip address 8.8.8.1 24 [*Switch-Vlanif10] quit [*Switch] interface vlanif 20 [*Switch-Vlanif20] ip address 9.9.9.1 24 [*Switch-Vlanif20] quit [*Switch] interface vlanif 30 [*Switch-Vlanif30] ip address 10.10.10.3 24 [*Switch-Vlanif30] quit [*Switch] commit
- Configure rate limit on ARP Miss packets based on the source
IP address.
# Set the maximum rate of ARP Miss packets triggered by the server with the IP address 10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss packets triggered by other hosts to 20 pps.
[~Switch] arp miss anti-attack rate-limit source-ip maximum 20 [*Switch] arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40 [*Switch] commit
- Configure interface-based ARP entry limit.
# Configure that 10GE1/0/1 can dynamically learn a maximum of 20 ARP entries.
[~Switch] interface 10ge 1/0/1 [~Switch-10GE1/0/1] arp limit vlan 10 20 [*Switch-10GE1/0/1] quit [*Switch] commit
- Configure ARP rate limiting based on source MAC address
or source IP address.
# Set the maximum rate of ARP packets from user (MAC address 1-1-1) to 10 pps.
[~Switch] arp anti-attack rate-limit source-mac 1-1-1 maximum 10# Set the maximum rate of ARP packets from user (IP address 9.9.9.2) to 10 pps.
[*Switch] arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10 [*Switch] commit
Verifying the Configuration
Run the display arp anti-attack rate-limit command to check the configuration of ARP rate limiting.
[~Switch] display arp anti-attack rate-limit Global ARP packet rate limit (pps) : -- Suppress Rate of each destination IP (pps): -- VLAN ID Suppress Rate(pps) ------------------------------------------------------------------------------- All -- ------------------------------------------------------------------------------- Total: 0, spec of rate-limit configuration for VLAN is 1024. Source IP Suppress Rate(pps) ------------------------------------------------------------------------------- 9.9.9.2 10 Other -- ------------------------------------------------------------------------------- Total: 1, spec of rate-limit configuration for Source IP is 1024. Source MAC Suppress Rate(pps) ------------------------------------------------------------------------------- 0001-0001-0001 10 Other -- ------------------------------------------------------------------------------- Total: 1, spec of rate-limit configuration for Source MAC is 1024.Run the display arp limit command to check the maximum number of ARP entries that an interface can dynamically learn. Take 10GE1/0/1 as an example.
[~Switch] display arp limit interface 10ge 1/0/1 Interface VLAN Limit Learnt --------------------------------------------------------------------------- 10GE1/0/1 10 20 0 --------------------------------------------------------------------------- Total:1
Run the display arp miss anti-attack rate-limit command to check the configuration of ARP Miss rate limiting.
The command outputs of V100R001 and V100R002 are different. In this section, V100R002 is used as an example.
[~Switch] display arp miss anti-attack rate-limit Global ARP miss rate limit (pps) : -- VLAN ID Suppress Rate(pps) ------------------------------------------------------------------------------- All -- ------------------------------------------------------------------------------- Total: 0, spec of rate-limit configuration for VLAN is 1024. Source IP Suppress Rate(pps) ------------------------------------------------------------------------------- 10.10.10.2/32 40 Other 20 ------------------------------------------------------------------------------- Total: 1, spec of rate-limit configuration for Source IP is 1024.Run the display arp packet statistics command to check statistics on ARP packets.
The command outputs of V100R001 and V100R002 are different. In this section, V100R002 is used as an example.
[~Switch] display arp packet statistics ARP Packets Received Total: 200 Learnt Count: 1 Discard For Entry Limit: 0 Discard For Speed Limit: 0 Discard For Proxy Suppress: 0 Discard For Other: 0 ARP Packets Sent Total: 476 Request: 312 Reply: 164 Gratuitous ARP: 311 ARP-Miss Message Received Total: 12 Discard For Speed Limit: 0 Discard For Other: 0In the preceding command output, the number of ARP packets and ARP Miss packets discarded by the switch is displayed, indicating that the ARP security (ARP anti-flood) function has taken effect.
Configuration File
# sysname Switch # vlan batch 10 20 30 # arp miss anti-attack rate-limit source-ip maximum 20 arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10 arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40 arp anti-attack rate-limit source-mac 0001-0001-0001 maximum 10 # interface Vlanif10 ip address 8.8.8.1 255.255.255.0 # interface Vlanif20 ip address 9.9.9.1 255.255.255.0 # interface Vlanif30 ip address 10.10.10.3 255.255.255.0 # interface 10GE1/0/1 port link-type trunk port trunk allow-pass vlan 10 arp limit vlan 10 20 # interface 10GE1/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface 10GE1/0/3 port link-type trunk port trunk allow-pass vlan 30 # return
Previous
