No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Typical Configuration Examples

CloudEngine 12800, 12800E, 8800, 7800, 6800, and 5800 Series Switches

Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ARP Security (ARP Anti-Flood)

Configuring ARP Security (ARP Anti-Flood)

Applicable Products and Versions

This example applies to the CE12800/CE6800/CE5800 V100R001C00 or later.

This example applies to the CE7800 V100R003C00 or later.

This example applies to the CE8800 V100R006C00 or later.

This example applies to the CE12800E V200R002C50 or later.

Networking Requirements

As shown in Figure 2-61, the switch connects to a server through 10GE1/0/3 and connects to users in VLAN 10 and VLAN 20 through 10GE1/0/1 and 10GE1/0/2. The following ARP flood attacks exist on networks:
  • Attackers send a large number of IP packets with unreachable destination IP addresses to the switch, leading to CPU overload.
  • A user with MAC address 1-1-1 sends a large number of ARP packets with a fixed MAC address and variable IP addresses to the switch. As a result, ARP entries on the switch are exhausted and the CPU resources are insufficient to process other services.
  • A user with IP address 9.9.9.2 sends a large number of ARP packets with a fixed source IP address to the switch. As a result, the CPU is overloaded and cannot process services.
The administrator wants to prevent the preceding ARP flood attacks and provide users with stable services on a secure network.
Figure 2-61 Diagram for configuring ARP security

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure rate limiting on ARP Miss packets based on source IP addresses. If the device consumes many resources on ARP Miss packets, other services are affected.
    • When user-side attackers send a large number of IP packets with unreachable destination IP addresses to the switch, the switch undergoes ARP flood attacks.
    • The switch can still process the ARP Miss packets sent by servers; therefore, communication will not be interrupted.
  2. Configure ARP entry limiting based on interfaces to prevent the attacks initiated by users connected to a certain interface.
  3. Configure ARP rate limiting based on source MAC addresses and source IP addresses to prevent a large number of ARP packets with fixed source MAC address or IP address sent by attackers.

Procedure

  1. Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.

    # Create VLAN 10, VLAN 20, and VLAN 30, add 10GE1/0/1 to VLAN 10, 10GE1/0/2 to VLAN 20, and 10GE1/0/3 to VLAN 30.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch
    [*HUAWEI] commit
    [~Switch] vlan batch 10 20 30
    [~Switch] interface 10ge 1/0/1
    [~Switch-10GE1/0/1] port link-type trunk
    [*Switch-10GE1/0/1] port trunk allow-pass vlan 10
    [*Switch-10GE1/0/1] quit
    [*Switch] interface 10ge 1/0/2
    [*Switch-10GE1/0/2] port link-type trunk
    [*Switch-10GE1/0/2] port trunk allow-pass vlan 20
    [*Switch-10GE1/0/2] quit
    [*Switch] interface 10ge 1/0/3
    [*Switch-10GE1/0/3] port link-type trunk
    [*Switch-10GE1/0/3] port trunk allow-pass vlan 30
    [*Switch-10GE1/0/3] quit
    [*Switch] commit
    

    # Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.

    [~Switch] interface vlanif 10
    [~Switch-Vlanif10] ip address 8.8.8.1 24
    [*Switch-Vlanif10] quit
    [*Switch] interface vlanif 20
    [*Switch-Vlanif20] ip address 9.9.9.1 24
    [*Switch-Vlanif20] quit
    [*Switch] interface vlanif 30
    [*Switch-Vlanif30] ip address 10.10.10.3 24
    [*Switch-Vlanif30] quit
    [*Switch] commit
    

  2. Configure rate limit on ARP Miss packets based on the source IP address.

    # Set the maximum rate of ARP Miss packets triggered by the server with the IP address 10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss packets triggered by other hosts to 20 pps.

    [~Switch] arp miss anti-attack rate-limit source-ip maximum 20
    [*Switch] arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40
    [*Switch] commit
    

  3. Configure interface-based ARP entry limit.

    # Configure that 10GE1/0/1 can dynamically learn a maximum of 20 ARP entries.

    [~Switch] interface 10ge 1/0/1
    [~Switch-10GE1/0/1] arp limit vlan 10 20
    [*Switch-10GE1/0/1] quit
    [*Switch] commit
    

  4. Configure ARP rate limiting based on source MAC address or source IP address.

    # Set the maximum rate of ARP packets from user (MAC address 1-1-1) to 10 pps.

    [~Switch] arp anti-attack rate-limit source-mac 1-1-1 maximum 10
    

    # Set the maximum rate of ARP packets from user (IP address 9.9.9.2) to 10 pps.

    [*Switch] arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10
    [*Switch] commit
    

Verifying the Configuration

  1. Run the display arp anti-attack rate-limit command to check the configuration of ARP rate limiting.

    [~Switch] display arp anti-attack rate-limit
    Global ARP packet rate limit (pps)        : --                                  
    Suppress Rate of each destination IP (pps): --                                  
                                                                                    
    VLAN ID            Suppress Rate(pps)                                           
    ------------------------------------------------------------------------------- 
    All                          --                                                 
    ------------------------------------------------------------------------------- 
    Total: 0, spec of rate-limit configuration for VLAN is 1024.                    
                                                                                    
    Source IP          Suppress Rate(pps)                                           
    ------------------------------------------------------------------------------- 
    9.9.9.2                      10                                                 
    Other                        --                                                 
    ------------------------------------------------------------------------------- 
    Total: 1, spec of rate-limit configuration for Source IP is 1024.               
                                                                                    
    Source MAC         Suppress Rate(pps)                                           
    ------------------------------------------------------------------------------- 
    0001-0001-0001               10                                                 
    Other                        --                                                 
    ------------------------------------------------------------------------------- 
    Total: 1, spec of rate-limit configuration for Source MAC is 1024.              
  2. Run the display arp limit command to check the maximum number of ARP entries that an interface can dynamically learn. Take 10GE1/0/1 as an example.

    [~Switch] display arp limit interface 10ge 1/0/1
     Interface                         VLAN       Limit      Learnt                 
    ---------------------------------------------------------------------------     
     10GE1/0/1                           10          20           0                 
    ---------------------------------------------------------------------------     
     Total:1                                                                        
  3. Run the display arp miss anti-attack rate-limit command to check the configuration of ARP Miss rate limiting.

    The command outputs of V100R001 and V100R002 are different. In this section, V100R002 is used as an example.

    [~Switch] display arp miss anti-attack rate-limit
    Global ARP miss rate limit (pps)          : --                                  
    VLAN ID            Suppress Rate(pps)                                           
    ------------------------------------------------------------------------------- 
    All                          --                                                 
    ------------------------------------------------------------------------------- 
    Total: 0, spec of rate-limit configuration for VLAN is 1024.                    
                                                                                    
    Source IP          Suppress Rate(pps)                                           
    ------------------------------------------------------------------------------- 
    10.10.10.2/32                40                                                 
    Other                        20                                                 
    ------------------------------------------------------------------------------- 
    Total: 1, spec of rate-limit configuration for Source IP is 1024.               
  4. Run the display arp packet statistics command to check statistics on ARP packets.

    The command outputs of V100R001 and V100R002 are different. In this section, V100R002 is used as an example.

    [~Switch] display arp packet statistics
    ARP Packets Received                                                            
      Total:                              200                                       
      Learnt Count:                         1                                       
      Discard For Entry Limit:              0                                       
      Discard For Speed Limit:              0                                       
      Discard For Proxy Suppress:           0                                       
      Discard For Other:                    0                                       
    ARP Packets Sent                                                                
      Total:                              476                                       
      Request:                            312                                       
      Reply:                              164                                       
      Gratuitous ARP:                     311                                       
    ARP-Miss Message Received                                                       
      Total:                               12                                       
      Discard For Speed Limit:              0                                       
      Discard For Other:                    0                                       

    In the preceding command output, the number of ARP packets and ARP Miss packets discarded by the switch is displayed, indicating that the ARP security (ARP anti-flood) function has taken effect.

Configuration File

#                                                                               
sysname Switch
#                                                                               
vlan batch 10 20 30
#                                                                               
arp miss anti-attack rate-limit source-ip maximum 20                            
arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10                         
arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40                 
arp anti-attack rate-limit source-mac 0001-0001-0001 maximum 10                 
# 
interface Vlanif10                                                              
 ip address 8.8.8.1 255.255.255.0                                               
#   
interface Vlanif20                                                              
 ip address 9.9.9.1 255.255.255.0                                               
#   
interface Vlanif30                                                              
 ip address 10.10.10.3 255.255.255.0                                               
#   
interface 10GE1/0/1                                                             
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                  
 arp limit vlan 10 20                                                           
# 
interface 10GE1/0/2                                                             
 port link-type trunk                                                           
 port trunk allow-pass vlan 20                                            
#                                                                               
interface 10GE1/0/3                                                             
 port link-type trunk                                                           
 port trunk allow-pass vlan 30                                             
#   
return 
Download
Updated: 2019-04-03

Document ID: EDOC1000039339

Views: 116091

Downloads: 7528

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next