No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ARP Security

Configuring ARP Security

This section describes the procedures for configuring ARP security.

Configuring Defense Against ARP Flood Attacks

Configuring defense against ARP flood attacks prevents ARP entries from being exhausted and CPU overload, ensures user communication.

Pre-configuration Tasks

Before configuring defense against ARP flood attacks, complete the following task:

  • Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Configuration Process

Operations in the configuration process can be performed in any sequence as required.

NOTE:

When rate limit on ARP packets is configured globally or in a VLAN and rate limit on ARP packets based on the source MAC address or source IP address is also configured, the smallest rate is used.

When rate limit on ARP Miss messages is configured globally or in a VLAN and rate limit on ARP Miss messages based on the source IP address is also configured, the smallest rate is used.

Configuring Rate Limit on ARP Packets based on the Source MAC Address

Context

When processing a large number of ARP packets with fixed source MAC addresses but variable IP addresses, the CPU is overloaded and ARP entries are exhausted.

To prevent this problem, limit the rate of ARP packets based on the source MAC address on the gateway. The device collects statistics on ARP packets from a specified source MAC address. If the number of ARP packets from the specified source MAC address in 1 second exceeds the threshold, the device discards the excess ARP packets.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configuring rate limit on ARP packets based on the source MAC address

    • Run:

      arp anti-attack rate-limit source-mac maximum maximum

      The maximum rate of ARP packets from a source MAC address is set

    • Run:

      arp anti-attack rate-limit source-mac mac-addrress maximum maximum

      The maximum rate of ARP packets from a specified source MAC address is set.

    When the preceding configurations are both performed, the maximum rate set using the arp anti-attack rate-limit source-mac mac-address maximum maximum command takes effect on ARP packets from the specified source MAC address, and the maximum rate set using the arp anti-attack rate-limit source-mac maximum maximum command takes effect on ARP packets from other source MAC addresses.

    By default, the maximum rate of ARP packets from each source MAC address is set to 0, that is, the rate of ARP packets is not limited based on the source MAC address.

  3. Run:

    commit

    The configuration is committed.

Configuring Rate Limit on ARP Packets based on the Source IP Address

Context

When processing a large number of ARP packets with fixed IP addresses (for example, the ARP packets with the same source IP addresses but frequently changing MAC addresses or outbound interfaces), the CPU is overloaded and cannot process other services.

To prevent this problem, limit the rate of ARP packets based on the source IP address on the gateway. The device collects statistics on ARP packets from a specified source IP address. If the number of ARP packets from the specified source IP address in 1 second exceeds the threshold, the device discards the excess ARP packets.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configuring rate limit on ARP packets based on the source IP address

    • Run:

      arp anti-attack rate-limit source-ip maximum maximum

      The maximum rate of ARP packets from a source IP address is set.

    • Run:

      arp anti-attack rate-limit source-ip ip-address maximum maximum

      The maximum rate of ARP packets from a specified source IP address is set.

    When the preceding configurations are both performed, the maximum rate set using the arp anti-attack rate-limit source-ip ip-address maximum maximum command takes effect on ARP packets from the specified source IP address, and the maximum rate set using the arp anti-attack rate-limit source-ip maximum maximum command takes effect on ARP packets from other source IP addresses.

    By default, the device allows a maximum of 30 ARP packets from the same source IP address to pass through in 1 second.

  3. Run:

    commit

    The configuration is committed.

Configuring Rate Limit on ARP Packets based on the Destination IP Address

Context

When processing a large number of ARP packets with the same destination IP address, the CPU is overloaded and cannot process other services.

To prevent this problem, limit the rate of ARP packets based on the destination IP address. The device collects statistics on ARP packets with a specified destination IP address. If the number of received ARP packets with the specified destination IP address in 1 second exceeds the threshold, the device discards the excess ARP packets.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    arp anti-attack rate-limit destination-ip maximum maximum

    Rate limit on ARP packets based on the destination IP address is configured.

    By default, the maximum rate of ARP packets sent to each destination IP address is set to 500 pps, that is, a maximum of 500 ARP packets with the same destination IP address are allowed to pass through in 1 second.

  3. Run:

    commit

    The configuration is committed.

Configuring Rate Limit on ARP Packets Globally, in a VLAN, or on an Interface

Context

The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.

After rate limit on ARP packets is enabled, set the maximum rate of ARP packets globally, in a VLAN, or on an interface. If the number of ARP packets received each second exceeds the limit, the device discards excess ARP packets.
  • Limiting the rate of ARP packets globally: limits the number of ARP packets to be processed by the system. When an ARP attack occurs, the device limits the rate of ARP packets globally.

  • Limiting the rate of ARP packets in a VLAN: limits the number of ARP packets to be processed on all interfaces in a VLAN. The configuration in a VLAN does not affect ARP entry learning on interfaces in other VLANs.

  • Limiting the rate of ARP packets on an interface: limits the number of ARP packets to be processed on an interface. The configuration on an interface does not affect ARP entry learning on other interfaces.

If the maximum rate is configured in the system view, VLAN view, and interface view at the same time, the device uses the configurations in the interface view, VLAN view, and system view in order.

Perform the following steps on the gateway.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Run:

    interface interface-type interface-number

    or,

    vlan vlan-id

    The interface view or VLAN view is displayed.

    NOTE:

    If you configure rate limit on ARP packets in the system view, skip this step.

  3. Run:

    arp anti-attack rate-limit limit

    The maximum rate of ARP packets is set.

    The default global ARP rate limit is 128 pps. That is, a maximum of 128 ARP packets can pass within one second. The default ARP rate limit in a VLAN or on an interface is 0. That is, the ARP packet rate in a VLAN or on an interface is not limited.

  4. Run:

    commit

    The configuration is committed.

Configuring Rate Limit on ARP Miss Messages based on the Source IP Address

Context

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device, that is, if the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the switch modules for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

If the number of ARP Miss messages triggered by IP packets from a source IP address in 1 second exceeds the limit, the device considers that an attack is initiated from the source IP address.

The administrator can set the maximum number of ARP Miss messages that the device can process within a specified duration based on the actual network environment, protecting the system resources and ensuring proper running of other services.

Perform the following steps on the gateway.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configuring rate limit on ARP Miss messages based on the source IP address

    • Run:
      arp miss anti-attack rate-limit source-ip maximum maximum

      The maximum rate of ARP Miss messages from a specified source IP address is set.

    • Run:
      arp miss anti-attack rate-limit source-ip ip-address [ mask { mask-length | mask } ] maximum maximum

      The maximum rate of ARP Miss messages triggered by IP packets from a specified source IP address is set.

    When the preceding configurations are both performed, the maximum rate set using the arp miss anti-attack rate-limit source-ip ip-address [ mask { mask-length | mask } ] maximum maximum command takes effect on ARP Miss messages triggered IP packets from the specified source IP address, and the maximum rate set using the arp miss anti-attack rate-limit source-ip maximum maximum command takes effect on ARP Miss messages triggered by IP packets from other source IP addresses.

    If the maximum rate of ARP Miss messages is set to 0, the rate of ARP Miss messages is not limited based on the source IP address. By default, the device processes a maximum of 30 ARP Miss messages triggered by IP packets from the same source IP address in 1 second.

  3. Run:

    commit

    The configuration is committed.

Configuring Rate Limit on ARP Miss Messages Globally or in a VLAN

Context

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device, that is, if the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to theswitch modules for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

To avoid the preceding problems, it is recommended that you configure rate limit on ARP Miss messages on the gateway.

  • Limiting the rate of ARP Miss messages globally: limits the number of ARP Miss messages processed by the system.

  • Limiting the rate of ARP Miss messages in a VLAN: limits the number of ARP Miss messages to be processed on all interfaces in a VLAN. The configuration in a VLAN does not affect IP packet forwarding on interfaces in other VLANs.

If rate limit on ARP Miss messages is enabled globally or in a VLAN at the same time, the configurations in a VLAN and globally take effect in descending order of priority.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Run:

    vlan vlan-id

    The VLAN view is displayed.

    NOTE:

    If you configure rate limit on ARP Miss messages in the system view, skip this step.

  3. Run:

    arp miss anti-attack rate-limit limit

    The maximum rate of ARP Miss messages is set.

    By default, the global rate limit on ARP Miss messages is 3000 packets per second, and the rate limit for ARP Miss messages in a VLAN is disabled.

  4. Run:

    commit

    The configuration is committed.

Configuring the Aging Time of Temporary ARP Entries

Context

When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
  • In the aging time of temporary ARP entries:
    • An IP packet that is received before the ARP Reply packet and matches a temporary ARP entry is discarded and triggers no ARP Miss message.
    • After receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • When temporary ARP entries age out, the device clears them. If no ARP entry matches the IP packets forwarded by the device, ARP Miss messages are triggered again and temporary ARP entries are regenerated. This process continues.

You can limit the rate of ARP Miss messages by setting the aging time of temporary ARP entries. When ARP Miss attacks occur on the device, you can extend the aging time of temporary ARP entries to reduce the frequency of triggering ARP Miss messages so that the impact on the device is minimized.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    arp fake timeout expire-time

    The aging time of temporary ARP entries is set.

    By default, the aging time of temporary ARP entries is 5 seconds.

  5. Run:

    commit

    The configuration is committed.

Configuring Gratuitous ARP Packet Discarding

Context

No authentication is performed on a host that sends gratuitous ARP packets, so any host can send gratuitous ARP packets, causing the following problems:
  • If a large number of gratuitous ARP packets are broadcast on the network, the device cannot process valid ARP packets due to CPU overload.
  • If the device processes bogus gratuitous ARP packets, ARP entries are updated incorrectly, leading to communication interruptions.

To solve the preceding problems, enable the gratuitous ARP packet discarding function on the gateway.

The function of discarding gratuitous ARP packets can be enabled in the system view or the interface view.
  • If the function is enabled in the system view, all interfaces on the device discard gratuitous ARP packets.
  • If the function is enabled in the interface view, only the interface discards gratuitous ARP packets.
NOTE:

Do not enable the gratuitous ARP packet discarding function on a network-side interface.

Procedure

  • Configuring gratuitous ARP packet discarding globally
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      arp anti-attack gratuitous-arp drop

      Gratuitous ARP packet discarding is enabled.

      By default, gratuitous ARP packet discarding is disabled.

    3. Run:

      commit

      The configuration is committed.

  • Configuring gratuitous ARP packet discarding on the interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      arp anti-attack gratuitous-arp drop

      Gratuitous ARP packet discarding is enabled.

      By default, gratuitous ARP packet discarding is disabled.

    5. Run:

      commit

      The configuration is committed.

Configuring Strict ARP Learning

Context

If many users send a large number of ARP packets to a device at the same time, or attackers send bogus ARP packets to the device, the following problems occur:
  • Many CPU resources are consumed to process a large number of ARP packets. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, configure the strict ARP learning function on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks.

Strict ARP learning can be configured in globally or in the interface view.

  • If strict ARP learning is enabled globally, all interfaces on the device learn ARP entries strictly.
  • If strict ARP learning is enabled in the interface view, only the interface learns ARP entries strictly.

When strict ARP learning is enabled globally and in the interface view simultaneously, the configuration on the interface takes precedence over the global configuration.

NOTE:
When strict ARP learning is enabled globally:
  • If you run the arp learning strict force-disable command on a specified interface, strict ARP learning is forced to be disabled on the interface.
  • If you run the arp learning strict trust command on a specified interface, strict ARP learning configured globally takes effect on the interface.

Procedure

  • Configuring strict ARP learning globally
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      arp learning strict

      Strict ARP learning is enabled globally.

      By default, strict ARP learning is disabled.

    3. Run:

      commit

      The configuration is committed.

  • Configuring strict ARP learning on the interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      arp learning strict { force-enable | force-disable | trust }

      Strict ARP learning on the interface is enabled.

      By default, strict ARP learning is disabled on the interface.

    5. Run:

      commit

      The configuration is committed.

Configuring Interface-based ARP Entry Limit

Context

To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.

Perform the following steps on the gateway.

Procedure

  • Configuring ARP entry limiting on a Layer 2 interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      arp limit vlan vlan-id1 [ to vlan-id2 ] maximum

      ARP entry limit on the Layer 2 interface is configured.

      By default, the maximum number of ARP entries that an interface can dynamically learn is the same as the number of ARP entries supported by the device.

      GE, 10GE, 40GE, Eth-Trunk interfaces can work at Layer 3 or Layer 2. When they work at Layer 3, you cannot configure the VLAN ID. When they work at Layer 2, you must configure the VLAN ID.

    4. Run:

      commit

      The configuration is committed.

  • Configuring ARP entry limiting on a Layer 3 interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      arp limit maximum

      ARP entry limit on the Layer 3 interface is configured.

      By default, the maximum number of ARP entries that an interface can dynamically learn is the same as the number of ARP entries supported by the device.

    5. Run:

      commit

      The configuration is committed.

Disabling an Interface from Learning ARP Entries

Context

If a user connected to an interface initiates an ARP attack, the ARP resources of the entire device will be exhausted. Therefore, when a large number of dynamic ARP entries have been learned by an interface, it is recommended that you disable the interface from learning more ARP entries on the gateway to ensure device security.

  • If dynamic ARP entry learning is disabled on an interface, traffic forwarding may fail on this interface.

  • After dynamic ARP entry learning is disabled on an interface, the system will not automatically delete the ARP entries that were learned previously on this interface. You can delete or retain these dynamic ARP entries as required.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    arp learning disable

    The interface is disabled from learning ARP entries.

    By default, an interface learns ARP entries dynamically.

  5. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display arp anti-attack { rate-limit | entry-check } command to check the ARP anti-attack configuration.

  • Run the display arp miss anti-attack rate-limit command to check the ARP Miss anti-attack configuration.

  • Run the display arp limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to check the maximum number of ARP entries that an interface can learn.
  • Run the display arp learning strict command to check strict ARP learning globally and on all interfaces.

Configuring Defense Against ARP Spoofing Attacks

If an attacker sends bogus ARP packets to a device or host, the device or host modifies the local ARP entries, leading to packet forwarding failures. The function of defense against ARP spoofing attacks can prevent such attacks.

Pre-configuration Tasks

Before configuring defense against ARP spoofing attacks, complete the following task:

  • Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Configuration Process

Operations in the configuration process can be performed in any sequence as required.

Configuring ARP Entry Fixing

Context

To defend against ARP address spoofing attacks, configure ARP entry fixing on the gateway. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
  • fixed-mac mode: When receiving an ARP packet, the device discards the packet if the MAC address does not match that in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry. This mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely.
  • fixed-all mode: When the MAC address, interface number, and VLAN ID of an ARP packet match those in the corresponding ARP entry, the device updates other information about the ARP entry. This mode applies to networks where user MAC addresses and user access locations are fixed.
  • send-ack mode: When the device receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user. This mode applies to networks where user MAC addresses and user access locations often change.
You can configure ARP entry fixing globally or on the interface.
  • If ARP entry fixing is enabled globally, all interfaces have this function enabled by default.
  • If ARP entry fixing is enabled globally and on the interface simultaneously, the configuration on the interface takes precedence over the global configuration.

Procedure

  1. Configure ARP entry fixing globally
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

      ARP entry fixing is enabled.

      By default, ARP entry fixing is disabled.

    3. Run:

      commit

      The configuration is committed.

  2. Configure ARP entry fixing on the interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

      ARP entry fixing is enabled.

      By default, ARP entry fixing is disabled.

    5. Run:

      commit

      The configuration is committed.

Configuring DAI

Context

To prevent MITM attacks and theft on authorized user information, enable DAI on an access device. When a device receives an ARP packet, it compares the source IP address, source MAC address, and interface number of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

NOTE:

This function is available only for DHCP snooping scenarios. The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you need to manually configure a static binding entry for the user. For details about the DHCP snooping configuration, see DHCP Snooping Configuration. For details on how to configure a static binding entry, see Configuring a Binding Table.

When the protocol packet transparent transmission in a VLAN is enabled together with the DAI function, the protocol packet transparent transmission function does not take effect.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vlan vlan-id

    The VLAN view is displayed.

  3. Run:

    arp anti-attack check user-bind enable

    DAI is enabled.

    By default, DAI is disabled.

  4. (Optional) Run:

    arp anti-attack check user-bind check-item { ip-address | mac-address | interface }*

    Check items for checking of ARP packets based on binding entries are configured.

    By default, the check items consist of IP address, MAC address, and interface number.

    To allow some special ARP packets that match only one or two items in binding entries to pass through, configure the device to check ARP packets according to one or two specified items in binding entries.

    NOTE:

    Check items configured for ARP packet check based on binding entries do not take effect on hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

  5. Run:

    commit

    The configuration is committed.

Configuring Gratuitous ARP Packet Discarding

Context

No authentication is performed on a host that sends gratuitous ARP packets, so any host can send gratuitous ARP packets, causing the following problems:
  • If a large number of gratuitous ARP packets are broadcast on the network, the device cannot process valid ARP packets due to CPU overload.
  • If the device processes bogus gratuitous ARP packets, ARP entries are updated incorrectly, leading to communication interruptions.

To solve the preceding problems, enable the gratuitous ARP packet discarding function on the gateway.

The function of discarding gratuitous ARP packets can be enabled in the system view or the interface view.
  • If the function is enabled in the system view, all interfaces on the device discard gratuitous ARP packets.
  • If the function is enabled in the interface view, only the interface discards gratuitous ARP packets.
NOTE:

Do not enable the gratuitous ARP packet discarding function on a network-side interface.

Procedure

  • Configuring gratuitous ARP packet discarding globally
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      arp anti-attack gratuitous-arp drop

      Gratuitous ARP packet discarding is enabled.

      By default, gratuitous ARP packet discarding is disabled.

    3. Run:

      commit

      The configuration is committed.

  • Configuring gratuitous ARP packet discarding on the interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      arp anti-attack gratuitous-arp drop

      Gratuitous ARP packet discarding is enabled.

      By default, gratuitous ARP packet discarding is disabled.

    5. Run:

      commit

      The configuration is committed.

Configuring MAC address Consistency Check in an ARP Packet

Context

The MAC address consistency check function for ARP packets defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header. This function is usually configured on gateways.

This function enables the gateway to check the MAC address consistency in an ARP packet before ARP learning. If the source and destination MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configuring MAC address Consistency Check in an ARP Packet

    • In the system view:

      Run:

      arp validate source-mac

      MAC address consistency check in an ARP packet is globally enabled. This function compares the source MAC addresses in ARP packets with those in the Ethernet frame header.

      By default, MAC address consistency check in an ARP packet is disabled.

    • In the interface view:

      1. Run:

        interface interface-type interface-number

        The interface view is displayed.

        NOTE:

        You need to perfom the next step only when you need to enter the Layer 3 interface view.

      2. On an Ethernet interface, run:

        undo portswitch

        The interface is switched to Layer 3 mode.

        By default, an Ethernet interface works in Layer 2 mode.

        If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

        NOTE:

        If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

      3. Run:

        arp validate { source-mac | destination-mac }*

        MAC address consistency check in an ARP packet is enabled. This function compares the source and destination MAC addresses in ARP packets with those in the Ethernet frame header.

        By default, MAC address consistency check in an ARP packet is disabled.

        NOTE:

        VLANIF interfaces do not support the arp validate { source-mac | destination-mac }* command. When receiving ARP packets, a VLANIF interface checks MAC address consistency based on the rule configured on the member interface.

  3. Run:

    commit

    The configuration is committed.

Configuring Strict ARP Learning

Context

If many users send a large number of ARP packets to a device at the same time, or attackers send bogus ARP packets to the device, the following problems occur:
  • Many CPU resources are consumed to process a large number of ARP packets. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, configure the strict ARP learning function on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks.

Strict ARP learning can be configured in globally or in the interface view.

  • If strict ARP learning is enabled globally, all interfaces on the device learn ARP entries strictly.
  • If strict ARP learning is enabled in the interface view, only the interface learns ARP entries strictly.

When strict ARP learning is enabled globally and in the interface view simultaneously, the configuration on the interface takes precedence over the global configuration.

NOTE:
When strict ARP learning is enabled globally:
  • If you run the arp learning strict force-disable command on a specified interface, strict ARP learning is forced to be disabled on the interface.
  • If you run the arp learning strict trust command on a specified interface, strict ARP learning configured globally takes effect on the interface.

Procedure

  • Configuring strict ARP learning globally
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      arp learning strict

      Strict ARP learning is enabled globally.

      By default, strict ARP learning is disabled.

    3. Run:

      commit

      The configuration is committed.

  • Configuring strict ARP learning on the interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      arp learning strict { force-enable | force-disable | trust }

      Strict ARP learning on the interface is enabled.

      By default, strict ARP learning is disabled on the interface.

    5. Run:

      commit

      The configuration is committed.

Checking the Configuration

Procedure

  • Run the display arp anti-attack { rate-limit | entry-check } command to check the ARP anti-attack configuration.

  • Run the display arp learning strict command to check strict ARP learning globally and on all interfaces.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 57913

Downloads: 3621

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next