No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 13

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This chapter describes configuration examples of ARP security including networking requirements, configuration roadmap, and configuration procedure.

Example for Configuring ARP Security Functions

Networking Requirements

As shown in Figure 12-44, the switch connects to a server using 10GE1/17/3 and connects to four users in VLAN 10 and VLAN 20 using 10GE1/17/1 and 10GE1/17/2. The following ARP threats exist on the network:
  • Attackers send bogus ARP packets or bogus gratuitous ARP packets to the switch. ARP entries on the switch are modified, leading to packet sending and receiving failures.
  • Attackers send a large number of IP packets with unresolvable destination IP addresses to the switch, leading to CPU overload.
  • User1 sends a large number of ARP packets with fixed MAC addresses but variable source IP addresses to the switch. As a result, ARP entries on the switch are exhausted and the CPU is insufficient to process other services.
  • User3 sends a large number of ARP packets with fixed source IP addresses to the switch. As a result, the CPU of the switch is insufficient to process other services.
The administrator wants to prevent the preceding ARP flood attacks and provide users with stable services on a secure network.
Figure 12-44 Networking for configuring ARP security functions

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure strict ARP learning and ARP entry fixing to prevent ARP entries from being modified by bogus ARP packets.
  2. Configure gratuitous ARP packets discarding to prevent ARP entries from being modified by bogus gratuitous ARP packets.
  3. Configure rate limit on ARP Miss messages based on the source IP address. This function defends against attacks from ARP Miss messages triggered by a large number of IP packets with unresolvable IP addresses. At the same time, the switch must have the capability to process a large number of ARP Miss packets from the server to ensure network communication.
  4. Configure ARP entry limit and rate limit on ARP packets based on the source MAC address. These functions defend against ARP flood attacks caused by a large number of ARP packets with fixed MAC addresses but variable IP addresses and prevent ARP entries from being exhausted and CPU overload.
  5. Configure rate limit on ARP packets based on the source IP address. This function defends against ARP flood attacks from User3 with a fixed IP address and prevents CPU overload.

Procedure

  1. Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.

    # Create VLAN 10, VLAN 20, and VLAN 30, add 10GE1/17/1 to VLAN 10, 10GE1/17/2 to VLAN 20, and 10GE1/17/3 to VLAN 30.

    <HUAWEI> system-view
    [~HUAWEI] vlan batch 10 20 30
    
    [*HUAWEI] interface 10ge 1/17/1
    [*HUAWEI-10GE1/17/1] port link-type trunk
    [*HUAWEI-10GE1/17/1] port trunk allow-pass vlan 10
    [*HUAWEI-10GE1/17/1] quit
    
    [*HUAWEI] interface 10ge 1/17/2
    [*HUAWEI-10GE1/17/2] port link-type trunk
    [*HUAWEI-10GE1/17/2] port trunk allow-pass vlan 20
    [*HUAWEI-10GE1/17/2] quit
    
    [*HUAWEI] interface 10ge 1/17/3
    [*HUAWEI-10GE1/17/3] port link-type trunk
    [*HUAWEI-10GE1/17/3] port trunk allow-pass vlan 30
    [*HUAWEI-10GE1/17/3] quit
    

    # Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.

    [*HUAWEI] interface vlanif 10
    [*HUAWEI-Vlanif10] ip address 8.8.8.4 24
    [*HUAWEI-Vlanif10] quit
    
    [*HUAWEI] interface vlanif 20
    [*HUAWEI-Vlanif20] ip address 9.9.9.4 24
    [*HUAWEI-Vlanif20] quit
    
    [*HUAWEI] interface vlanif 30
    [*HUAWEI-Vlanif30] ip address 10.10.10.3 24
    [*HUAWEI-Vlanif30] quit
    

  2. Configure strict ARP learning.

    [*HUAWEI] arp learning strict
    

  3. Configure ARP entry fixing.

    # Set the ARP entry fixing mode to fixed-mac.

    [*HUAWEI] arp anti-attack entry-check fixed-mac enable
    

  4. Configure gratuitous ARP packet discarding.

    [*HUAWEI] arp anti-attack gratuitous-arp drop
    

  5. Configure rate limit on ARP Miss messages based on the source IP address.

    # Set the maximum rate of ARP Miss messages triggered by the server with the IP address 10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss messages triggered by other hosts to 20 pps.

    [*HUAWEI] arp miss anti-attack rate-limit source-ip maximum 20
    [*HUAWEI] arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40
    

  6. Configure interface-based ARP entry limit.

    # Configure that 10GE1/17/1 can dynamically learn a maximum of 20 ARP entries.

    [*HUAWEI] interface 10ge 1/17/1
    [*HUAWEI-10GE1/17/1] arp limit vlan 10 20
    [*HUAWEI-10GE1/17/1] quit
    

  7. Configure rate limit on ARP packets based on the source MAC address.

    # Set the maximum rate of ARP packets from User1 with the source MAC address 1-1-1 to 10 pps.

    [*HUAWEI] arp anti-attack rate-limit source-mac 1-1-1 maximum 10
    

  8. Configure rate limit on ARP packets based on the source IP address.

    # Set the maximum rate of ARP packets from User3 with the source IP address 9.9.9.2 to 10 pps.

    [*HUAWEI] arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10
    [*HUAWEI] commit
    [~HUAWEI] quit
    

  9. Verify the configuration.

    # Run the display arp learning strict command to check the global configuration of strict ARP entry learning.

    <HUAWEI> display arp learning strict
     The global arp learning strict state:enable                                                                                       
     Interface                           LearningStrictState                                                                            
    ------------------------------------------------------------                                                                        
    ------------------------------------------------------------                                                                        
     Total:0      Force-enable:0      Force-disable:0   

    # Run the display arp limit command to check the maximum number of ARP entries that the interface can dynamically learn.

    <HUAWEI> display arp limit interface 10GE 1/17/1
     Interface                         VLAN       Limit      Learnt                                                                     
    ---------------------------------------------------------------------------                                                         
     10GE1/17/1                           10          20           0                                                                     
    ---------------------------------------------------------------------------                                                         
     Total:1                                                                   

    # Run the display arp anti-attack rate-limit command to check the configuration of ARP anti-attack.

    <HUAWEI> display arp anti-attack rate-limit
    Global ARP packet rate limit (pps)        : --                                                                                      
    Suppress Rate of each destination IP (pps): 500
                                                                                                                                        
    Total number of rate-limit configuration for source IP Address : 1                                                                  
    Source IP          Suppress Rate(pps)                                                                                               
    -------------------------------------------------------------------------------                                                     
    9.9.9.2                      10                                     
    -------------------------------------------------------------------------------                                                     
                                                                                                                                        
    Total number of rate-limit configuration for MAC Address : 1                                                                        
    Source MAC         Suppress Rate(pps)                                                                                               
    -------------------------------------------------------------------------------                                                     
    0001-0001-0001               10                                                                                                
    -------------------------------------------------------------------------------                                                     
    

    # Run the display arp anti-attack entry-check command to check the configuration of fixed ARP modes.

    <HUAWEI> display arp anti-attack entry-check
    Interface      Mode                                                                
    ------------------------------------------------------------------------------- 
      All        fix-mac                                                            
    ------------------------------------------------------------------------------- 

    # Run the display arp miss anti-attack rate-limit command to check the configuration of ARP Miss anti-attack.

    <HUAWEI> display arp miss anti-attack rate-limit
    Global ARP miss rate limit (pps)          : 3000
                                                                                                                                        
    Total number of rate-limit configuration for source IP Address : 1                                                                  
    Source IP          Suppress Rate(pps)                                                                                               
    -------------------------------------------------------------------------------                                                     
    10.10.10.2/32                     40                                                                                                
    Other                             20                                                                                                
    ------------------------------------------------------------------------------- 

    # Run the display arp packet statistics command to check statistics on ARP-based packets.

    <HUAWEI> display arp packet statistics
    ARP Packets Received
      Total:                       90402
      Learnt Count:                   37
      Discard For Entry Limit:       146
      Discard For Speed Limit:     40529
      Discard For Proxy Suppress:      0
      Discard For Other:         8367601
    ARP Packets Sent 
      Total:                        6447
      Request:                      6341
      Reply:                         106
      Gratuitous ARP:                  0
    ARP-Miss Message Received
      Total:                          12
      Discard For Speed Limit:       194
      Discard For Other:             238

    In the preceding command output, the numbers of ARP packets and ARP Miss messages discarded by the switch is displayed, indicating that the ARP security functions have taken effect.

Configuration File

#
vlan batch 10 20 30
#
arp miss anti-attack rate-limit source-ip maximum 20                                       
arp anti-attack rate-limit source-ip 9.9.9.2 maximum 10                                    
arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40                            
arp anti-attack rate-limit source-mac 0001-0001-0001 maximum 10                            
arp learning strict                                                             
arp anti-attack entry-check fixed-mac enable                                    
arp anti-attack gratuitous-arp drop                              
#
interface Vlanif10                                                             
 ip address 8.8.8.4 255.255.255.0                                                 
#                    
interface Vlanif20                                                             
 ip address 9.9.9.4 255.255.255.0                                                 
#
interface Vlanif30                                                             
 ip address 10.10.10.3 255.255.255.0                                                 
#
interface 10GE1/17/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                  
 arp limit vlan 10 20
#
interface 10GE1/17/2
 port link-type trunk                                                           
 port trunk allow-pass vlan 20                                                  
#
interface 10GE1/17/3
 port link-type trunk                                                           
 port trunk allow-pass vlan 30                                                  
#
return

Example for Configuring Defense Against ARP MITM Attacks

Networking Requirements

As shown in Figure 12-45, the users of a department access the Internet through SwitchA. Among the users connected to SwitchA, some users obtain IP addresses through DHCP and some users are allocated static IP addresses. All users are in the same VLAN as the DHCP server. If attackers initiate MITM attacks, the data of authorized users will leak; therefore, the administrator requires that SwitchA can prevent MITM attacks.

Figure 12-45 Networking diagram for defending against ARP MITM attacks

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure the DHCP snooping function so that the device can generate the address and port binding entries for dynamic users and the binding entries can be manually configured for static users. These binding entries are used for ARP packet validity check.
  2. Enable DAI so that SwitchA compares the source IP address, source MAC address, VLAN ID, and interface number of the ARP packet with DHCP snooping binding entries and filter out invalid packets. This prevents ARP MITM attacks.

Procedure

  1. Create a VLAN and add interfaces to the VLAN.

    # Create VLAN 10, and add 10GE1/17/1, 10GE1/17/2, 10GE1/17/3, and 10GE1/17/4 to VLAN 10.

    <HUAWEI> system-view
    [~HUAWEI] sysname SwitchA
    [*HUAWEI] commit
    [~SwitchA] vlan batch 10
    
    [*SwitchA] interface 10ge 1/17/1
    [*SwitchA-10GE1/17/1] port link-type access
    [*SwitchA-10GE1/17/1] port default vlan 10
    [*SwitchA-10GE1/17/1] quit
    
    [*SwitchA] interface 10ge 1/17/2
    [*SwitchA-10GE1/17/2] port link-type access
    [*SwitchA-10GE1/17/2] port default vlan 10
    [*SwitchA-10GE1/17/2] quit
    
    [*SwitchA] interface 10ge 1/17/3
    [*SwitchA-10GE1/17/3] port link-type access
    [*SwitchA-10GE1/17/3] port default vlan 10
    [*SwitchA-10GE1/17/3] quit
    
    [*SwitchA] interface 10ge 1/17/4
    [*SwitchA-10GE1/17/4] port link-type trunk
    [*SwitchA-10GE1/17/4] port trunk allow-pass vlan 10
    [*SwitchA-10GE1/17/4] quit
    

  2. Configure DHCP snooping.

    # Enable DHCP snooping globally.

    [*SwitchA] dhcp enable
    [*SwitchA] dhcp snooping enable
    

    # Enable DHCP snooping in VLAN 10.

    [*SwitchA] vlan 10
    [*SwitchA-vlan10] dhcp snooping enable
    [*SwitchA-vlan10] quit
    

    # Configure 10GE1/17/4 as a trusted interface.

    [*SwitchA] interface 10ge 1/17/4
    [*SwitchA-10GE1/17/4] dhcp snooping trusted
    [*SwitchA-10GE1/17/4] quit
    

    # Configure a static binding table.

    [*SwitchA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface 10ge 1/17/3 vlan 10
    [*SwitchA] commit
    

  3. Enable DAI in VLAN 10.

    [*SwitchA] vlan 10
    [*SwitchA-vlan10] arp anti-attack check user-bind enable
    [*SwitchA-vlan10] commit

  4. Verify the configuration.

    Run the display current-configuration command to view the configuration of the DHCP Snooping, static binding table, and DAI function. For details, see configuration files.

Configuration File

Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 10
#
dhcp enable                                                                     
#                                                                               
dhcp snooping enable                                                            
# 
user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface 10GE1/17/3 vlan 10
#                                                                               
vlan 10                                                                          
 dhcp snooping enable                                              
 arp anti-attack check user-bind enable     
#                                                                               
interface 10GE1/17/1
 port default vlan 10
#   
interface 10GE1/17/2
 port default vlan 10
#
interface 10GE1/17/3
 port default vlan 10
#   
interface 10GE1/17/4
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                   
 dhcp snooping trusted                                                            
#   
return
Translation
Download
Updated: 2019-12-13

Document ID: EDOC1000041694

Views: 60747

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next