No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 16800, 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ARP Security (ARP Anti-Flood)

Configuring ARP Security (ARP Anti-Flood)

Applicable Products and Versions

This example applies to all models and all versions.

Networking Requirements

As shown in Figure 2-65, the switch connects to a server through 10GE1/0/3 and connects to users in VLAN 10 and VLAN 20 through 10GE1/0/1 and 10GE1/0/2. The following ARP flood attacks exist on networks:
  • Attackers send a large number of IP packets with unreachable destination IP addresses to the switch, leading to CPU overload.
  • A user with MAC address 1-1-1 sends a large number of ARP packets with a fixed MAC address and variable IP addresses to the switch. As a result, ARP entries on the switch are exhausted and the CPU resources are insufficient to process other services.
  • A user with IP address 9.9.9.2 sends a large number of ARP packets with a fixed source IP address to the switch. As a result, the CPU is overloaded and cannot process services.
The administrator wants to prevent the preceding ARP flood attacks and provide users with stable services on a secure network.
Figure 2-65 Diagram for configuring ARP security

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure rate limiting on ARP Miss packets based on source IP addresses. If the device consumes many resources on ARP Miss packets, other services are affected.
    • When user-side attackers send a large number of IP packets with unreachable destination IP addresses to the switch, the switch undergoes ARP flood attacks.
    • The switch can still process the ARP Miss packets sent by servers; therefore, communication will not be interrupted.
  2. Configure ARP entry limiting based on interfaces to prevent the attacks initiated by users connected to a certain interface.
  3. Configure ARP rate limiting based on source MAC addresses and source IP addresses to prevent a large number of ARP packets with fixed source MAC address or IP address sent by attackers.

Procedure

  1. Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.

    # Create VLAN 10, VLAN 20, and VLAN 30, add 10GE1/0/1 to VLAN 10, 10GE1/0/2 to VLAN 20, and 10GE1/0/3 to VLAN 30.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] vlan batch 10 20 30
    [~Switch] interface 10ge 1/0/1
    [~Switch-10GE1/0/1] port link-type trunk
    [*Switch-10GE1/0/1] port trunk allow-pass vlan 10
    [*Switch-10GE1/0/1] quit
    [*Switch] interface 10ge 1/0/2
    [*Switch-10GE1/0/2] port link-type trunk
    [*Switch-10GE1/0/2] port trunk allow-pass vlan 20
    [*Switch-10GE1/0/2] quit
    [*Switch] interface 10ge 1/0/3
    [*Switch-10GE1/0/3] port link-type trunk
    [*Switch-10GE1/0/3] port trunk allow-pass vlan 30
    [*Switch-10GE1/0/3] quit
    [*Switch] commit

    # Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.

    [~Switch] interface vlanif 10
    [~Switch-Vlanif10] ip address 8.8.8.1 24
    [*Switch-Vlanif10] quit
    [*Switch] interface vlanif 20
    [*Switch-Vlanif20] ip address 9.9.9.1 24
    [*Switch-Vlanif20] quit
    [*Switch] interface vlanif 30
    [*Switch-Vlanif30] ip address 10.10.10.3 24
    [*Switch-Vlanif30] quit
    [*Switch] commit

  2. Configure rate limit on ARP Miss packets based on the source IP address.

    # Set the maximum rate of ARP Miss packets triggered by the server with the IP address 10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss packets triggered by other hosts to 20 pps.

    [~Switch] arp miss anti-attack rate-limit source-ip maximum 20
    [*Switch] arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40
    [*Switch] commit

  3. Configure interface-based ARP entry limit.

    # Configure that 10GE1/0/1 can dynamically learn a maximum of 20 ARP entries.

    [~Switch] interface 10ge 1/0/1
    [~Switch-10GE1/0/1] arp limit vlan 10 20
    [*Switch-10GE1/0/1] quit
    [*Switch] commit

  4. Configure ARP rate limiting based on source MAC address or source IP address.

    # Set the maximum rate of ARP packets from user (MAC address 1-1-1) to 10 pps.

    [~Switch] arp anti-attack rate-limit source-mac 1-1-1 maximum 10

    # Set the maximum rate of ARP packets from user (IP address 9.9.9.2) to 10 pps.

    [*Switch] arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10
    [*Switch] commit

Verifying the Configuration

  1. Run the display arp anti-attack rate-limit command to check the configuration of ARP rate limiting.

    [~Switch] display arp anti-attack rate-limit
    Global ARP packet rate limit (pps)        : 0                                                                                       
    Suppress Rate of each destination IP (pps): 500                                                                                     
    
    Total number of rate-limit configuration for source IP Address : 1                                                                  
    Source IP          Suppress Rate(pps)                                                                                               
    -------------------------------------------------------------------------------                                                     
    9.9.9.2                           10                                                                                                
    Other                             50                                                                                                
    -------------------------------------------------------------------------------                                                     
    Total number of rate-limit configuration for MAC Address : 1                                                                        
    Source MAC         Suppress Rate(pps)                                                                                               
    -------------------------------------------------------------------------------                                                     
    0001-0001-0001                    10                                                                                                
    Other                              0                                                                                                
    -------------------------------------------------------------------------------
  2. Run the display arp limit command to check the maximum number of ARP entries that an interface can dynamically learn. Take 10GE1/0/1 as an example.

    [~Switch] display arp limit interface 10ge 1/0/1
     Interface                         VLAN       Limit      Learnt     Threshold                                                       
    -----------------------------------------------------------------------------------------                                           
     10GE4/0/1                           10          20           0             -                                                       
    -----------------------------------------------------------------------------------------                                           
     Total:1              
  3. Run the display arp miss anti-attack rate-limit command to check the configuration of ARP Miss rate limiting.

    [~Switch] display arp miss anti-attack rate-limit
    Global ARP miss rate limit (pps)          : 3000                                                                                    
    
    Total number of rate-limit configuration for source IP Address : 1                                                                  
    Source IP          Suppress Rate(pps)                                                                                               
    -------------------------------------------------------------------------------                                                     
    10.10.10.2/32                     40                                                                                                
    Other                             20                                                                                                
    -------------------------------------------------------------------------------   
  4. Run the display arp packet statistics command to check statistics on ARP packets.

    The command output differs in V100R001 and V100R002. The following shows the command output in V100R002.

    [~Switch] display arp packet statistics
    ARP Packets Received                                                                                                                
      Total:                            28509                                                                                           
      Learnt Count:                         3                                                                                           
      Discard For Entry Limit:              0                                                                                           
      Discard For Speed Limit:              0                                                                                           
      Discard For Proxy Suppress:           0                                                                                           
      Discard For Other:                20861                                                                                           
      MAC Invalid Count:                 4809                                                                                           
    ARP Packets Sent                                                                                                                    
      Total:                             1953                                                                                           
      Request:                           1108                                                                                           
      Reply:                              845                                                                                           
      Gratuitous ARP:                     307                                                                                           
    ARP-Miss Message Received                                                                                                           
      Total:                                1                                                                                           
      Discard For Speed Limit:              0                                                                                           
      Discard For Other:                    0                                 

    In the preceding command output, the number of ARP packets and ARP Miss packets discarded by the switch is displayed, indicating that the ARP security (ARP anti-flood) function has taken effect.

Configuration File

#                                                                               
sysname Switch
#                                                                               
vlan batch 10 20 30
#                                                                               
arp miss anti-attack rate-limit source-ip maximum 20                            
arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10                         
arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40                 
arp anti-attack rate-limit source-mac 0001-0001-0001 maximum 10                 
# 
interface Vlanif10                                                              
 ip address 8.8.8.1 255.255.255.0                                               
#   
interface Vlanif20                                                              
 ip address 9.9.9.1 255.255.255.0                                               
#   
interface Vlanif30                                                              
 ip address 10.10.10.3 255.255.255.0                                               
#   
interface 10GE1/0/1                                                             
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                  
 arp limit vlan 10 20                                                           
# 
interface 10GE1/0/2                                                             
 port link-type trunk                                                           
 port trunk allow-pass vlan 20                                            
#                                                                               
interface 10GE1/0/3                                                             
 port link-type trunk                                                           
 port trunk allow-pass vlan 30                                             
#   
return 
Download
Updated: 2020-01-07

Document ID: EDOC1000039339

Views: 178586

Downloads: 8167

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next