No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Common Operation Guide

This document describes the CLI-based configurations of universal protocols and common features for Huawei switches on basic networks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Dynamic ARP Probing

Configuring Dynamic ARP Probing

Dynamic ARP inspection (DAI) is used to prevent Man in The Middle (MITM) attacks. If DAI is not configured, ARP entries of authorized users on the device may be updated by the pseudo ARP packets sent by attackers.

DAI is used to check ARP packets according to binding tables (dynamic and static DHCP binding tables).

When receiving an ARP packet, the device compares the source IP address, source MAC address, interface, and VLAN in the ARP packet with the information in the binding table. You can configure the parameters to be compared, for example, the source IP address and VLAN.
  • If the parameters match the table information, the user is authorized and the device allows the ARP packet to pass through.
  • If the parameters do not match the table information, the device considers that it is an attack packet and discards the packet.

# Configure DHCP snooping on the device and enable DAI on the interface connecting the device to the user side.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] dhcp snooping enable //Enable DHCP snooping on the interface connecting the device to the user side.
[HUAWEI-GigabitEthernet1/0/1] quit
[HUAWEI] interface gigabitethernet 1/0/2
[HUAWEI-GigabitEthernet1/0/2] dhcp snooping trusted //Configure the interface connecting the device to the DHCP server as a trusted interface. If DHCP snooping is deployed on the DHCP relay device, the trusted interface configuration is optional.
[HUAWEI-GigabitEthernet1/0/2] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the static binding table on the device for the users configured with static IP addresses.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable DAI on the interface connecting the device to the user side.
[HUAWEI-GigabitEthernet1/0/1] quit

# Configure DHCP snooping on the device and enable DAI in the user-side VLAN.

<HUAWEI> system-view
[HUAWEI] dhcp enable
[HUAWEI] dhcp snooping enable ipv4
[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp snooping enable //Enable DHCP snooping in the VLAN that the user device belongs to.
[HUAWEI-vlan100] quit
[HUAWEI] vlan 200
[HUAWEI-vlan200] dhcp snooping enable
[HUAWEI-vlan200] dhcp snooping trusted interface gigabitethernet 1/0/2 //Configure the interface connecting the device to the DHCP server as a trusted interface. If DHCP snooping is deployed on the DHCP relay device, the trusted interface configuration is optional.
[HUAWEI-vlan200] quit
[HUAWEI] user-bind static ip-address 10.10.10.1 vlan 100 //Configure the static binding table on the device for the users configured with static IP addresses.
[HUAWEI] vlan 100
[HUAWEI-vlan100] arp anti-attack check user-bind enable //Enable DAI in the user-side VLAN.
[HUAWEI-vlan100] quit
Translation
Download
Updated: 2018-09-03

Document ID: EDOC1000057410

Views: 89422

Downloads: 12192

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next