No relevant resource is found in the selected language.
Enterprise
Worldwide
Search
Support Documentation
S300, S500, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides campus networks typical configuration examples and feature typical configuration examples. "Campus Networks Typical Configuration Examples" provides typical campus network networking modes and a variety of deployment examples."Feature Typical Configuration Examples" provides typical configuration examples of a single feature on a switch. You can configure required features after deploying a campus network.

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Typical ARP Security Configuration

Typical ARP Security Configuration

Example for Configuring ARP Security Functions

Overview of ARP Security

Address Resolution Protocol (ARP) security protects network devices against ARP attacks by learning ARP entries, limiting ARP packet rate, and checking ARP packets. In addition to preventing ARP protocol attacks, ARP security also prevents ARP-based network scanning attacks.

Common ARP attacks are as follows:

  1. When user hosts directly connect to the gateway, the attacker forges an ARP packet of the gateway and sends the ARP packet to user hosts. The user hosts then consider that the attacker's device is the gateway, and record incorrect gateway address mappings into their ARP tables. Then the traffic destined for the gateway is received by the attacker. In this way, the attacker intercepts the data sent by user hosts.

  2. A user host sends a large number of IP packets with unresolvable destination IP addresses (the routing table contains the routing entries matching the destination IP addresses of the packets but the device does not have the ARP entries matching the next hop addresses of the routing entries) to the device, the device generates a large number of ARP Miss packets. IP packets, which trigger ARP Miss packets, are sent to the CPU for processing. As a result, the device generates and delivers many temporary ARP entries based on ARP Miss packets, and sends a large number of ARP request packets to the destination network. This increases CPU usage of the device and consumes considerable bandwidth resources of the destination network.

  3. The device receives a large number of ARP attack packets and needs to process all of them. As a result, the device's CPU may be overloaded and cannot process other services.

The following ARP security measures can be taken to protect the network devices against ARP attacks:

  • To prevent the first attack, configure ARP gateway anti-collision to prevent attackers from forging a gateway to intercept user host information.

  • To prevent the second attack, configure ARP Miss packet rate limiting to reduce CPU load and protect bandwidth on destination network.

  • To prevent the third attack, configure ARP packet rate limiting to protect CPU resources.

Configuration Notes

  • This example applies to all modular switches and versions.
  • This example applies to the following fixed-configuration switches:
    • S3700-HI
    • S5710-EI, S5720-EI, S5700-HI, S5710-HI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H
    • S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S, S6735-S

  • For the product models whose applicable versions are not listed above, see Table 1 in "Applicable Products and Versions" for details.

    For details about software mappings, visit Hardware Center and select the desired product model.

    The S5731-L and S5731S-L are remote units and do not support web-based management, YANG, or commands. They can be configured only through configuration delivery by the central device. For details, see "Simplified Architecture Configuration (the Solar System Solution)" in the S300, S500, S2700, S5700, and S6700 V200R023C00 Configuration Guide - Device Management.

Networking Requirements

As shown in Figure 3-244, the switch functioning as the gateway connects to a server using GE1/0/3 and connects to four users in VLAN 10 and VLAN 20 using GE1/0/1 and GE1/0/2, respectively. The following ARP threats exist on a network:
  • The attacker sends an ARP packet from a forged gateway to the switch, so user hosts consider that the attacker's device is the gateway. As a result, traffic destined for the real gateway from user hosts is received by the attacker, and the attacker intercepts data from user hosts.
  • Attackers send a large number of IP packets with unresolvable destination IP addresses to the switch, leading to CPU overload.
  • User1 sends a large number of ARP packets with fixed MAC addresses but variable source IP addresses to the switch. As a result, the CPU of the switch is busy, affecting normal service processing.
  • User3 sends a large number of ARP packets with fixed source IP addresses to the switch. As a result, the CPU of the switch is busy, affecting normal service processing.
The administrator wants to prevent the preceding ARP attacks and provide users with stable services on a secure network.
Figure 3-244 Network diagram of configuring ARP security

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure ARP gateway anti-collision to prevent attackers from forging a gateway to intercept user host information.
  2. Configure rate limiting on ARP Miss packets based on source IP addresses. This function defends against the ARP flood caused by ARP Miss packets (triggered by a large number of IP packets with unresolvable IP addresses). In addition, ensure that the switch can process a large number of ARP Miss packets from the server to prevent network communication failures caused by discarding of such packets.
  3. Configure ARP rate limiting based on source MAC addresses to prevent User1 from sending a large number of ARP packets with variable source IP addresses and fixed MAC address to form ARP flood attacks, which will cause the switch's CPU to be busy.
  4. Configure ARP rate limiting based on source IP addresses to prevent User3 from sending a large number of ARP packets with fixed source IP addresses to form ARP flood attacks, which will cause the switch's CPU to be busy.

Procedure

  1. Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.

    # Create VLAN 10, VLAN 20, VLAN 30, and add GE1/0/1 to VLAN 10, GE1/0/2 to VLAN 20, and GE1/0/3 to VLAN 30.

    <HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port link-type trunk
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet1/0/1] quit
[Switch] interface gigabitethernet 1/0/2
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet1/0/2] quit
[Switch] interface gigabitethernet 1/0/3
[Switch-GigabitEthernet1/0/3] port link-type trunk
[Switch-GigabitEthernet1/0/3] port trunk allow-pass vlan 30
[Switch-GigabitEthernet1/0/3] quit

    # Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.

    [Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.8.8.4 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.9.9.4 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.10.10.3 24
[Switch-Vlanif30] quit

  2. Configure ARP gateway anti-collision.

    [Switch] arp anti-attack gateway-duplicate enable  //Configure ARP gateway anti-collision.

  3. Configure rate limiting on ARP Miss packets based on source IP addresses.

    # Set the maximum rate of ARP Miss packets triggered by the server (IP address 10.10.10.2) to 40 pps, and set the maximum rate of ARP Miss packets triggered by other user hosts to 20 pps.

    [Switch] arp-miss speed-limit source-ip maximum 20  //Configure rate limiting on ARP Miss packets based on source IP addresses.
[Switch] arp-miss speed-limit source-ip 10.10.10.2 maximum 40  //Configure rate limiting on ARP Miss packets based on source IP addresses.

  4. Configure rate limiting on ARP packets based on source MAC addresses.

    # Set the maximum rate of ARP packets from User1 with the source MAC address 0001-0001-0001 to 10 pps.

    [Switch] arp speed-limit source-mac 0001-0001-0001 maximum 10  //Configure rate limiting on ARP packets based on source MAC addresses.

  5. Configure rate limiting on ARP packets based on source IP addresses.

    # Set the maximum rate of ARP packets from User3 with the source IP address 10.9.9.2 to 10 pps.

    [Switch] arp speed-limit source-ip 10.9.9.2 maximum 10  //Configure rate limiting on ARP packets based on source IP addresses.

  6. Verify the configuration.

    # Run the display arp anti-attack configuration all command to check the configuration of ARP anti-attack.

    [Switch] display arp anti-attack configuration all
......
ARP anti-attack entry-check mode:
Vlanif      Mode
-------------------------------------------------------------------------------
All         disabled
-------------------------------------------------------------------------------

ARP rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
Vlan configuration:
-------------------------------------------------------------------------------

ARP miss rate-limit configuration:
-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
Vlan configuration:
-------------------------------------------------------------------------------

ARP speed-limit for source-MAC configuration:
MAC-address         suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
0001-0001-0001      10
Others              0
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 1, spec is 1024.

ARP speed-limit for source-IP configuration:
IP-address          suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.9.9.2            10
Others              30
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 1024.

ARP miss speed-limit for source-IP configuration:
IP-address          suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.10.10.2/32       40
Others              20
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 1024.

    # Run the display arp packet statistics command to check statistics on ARP packets.

    [Switch] display arp packet statistics
ARP Pkt Received:   sum  8678904
ARP-Miss Msg Received:   sum      183
ARP Learnt Count:   sum     37
ARP Pkt Discard For Limit:   sum      146
ARP Pkt Discard For SpeedLimit:   sum      40529
ARP Pkt Discard For Proxy Suppress:   sum      0
ARP Pkt Discard For Other:   sum  8367601
ARP-Miss Msg Discard For SpeedLimit:   sum      20
ARP-Miss Msg Discard For Other:   sum      104

    In the preceding command output, the numbers of ARP packets and ARP Miss packets discarded by the switch are displayed, indicating that the ARP security functions have taken effect.

Configuration File

# Switch configuration file

#
sysname Switch
#
vlan batch 10 20 30
#
arp-miss speed-limit source-ip 10.10.10.2 maximum 40
arp speed-limit source-ip 10.9.9.2 maximum 10
arp speed-limit source-mac 0001-0001-0001 maximum 10
arp anti-attack gateway-duplicate enable
#
arp-miss speed-limit source-ip maximum 20
#
interface Vlanif10
 ip address 10.8.8.4 255.255.255.0
#
interface Vlanif20
 ip address 10.9.9.4 255.255.255.0
#
interface Vlanif30
 ip address 10.10.10.3 255.255.255.0
#
interface GigabitEthernet1/0/1
 port link-type trunk
 port trunk allow-pass vlan 10
#
interface GigabitEthernet1/0/2
 port link-type trunk
 port trunk allow-pass vlan 20
#
interface GigabitEthernet1/0/3
 port link-type trunk
 port trunk allow-pass vlan 30
#
return

Example for Configuring Defense Against ARP MITM Attacks

DAI Overview

Address Resolution Protocol (ARP) security protects network devices against ARP attacks by learning ARP entries, limiting ARP packet rate, and checking ARP packets. In addition to preventing ARP protocol attacks, ARP security also prevents ARP-based network scanning attacks.

Man-in-the-middle (MITM) attack is a frequently launched ARP attack. The attacker functions as the "man in the middle" to intercept data.

To defend against MITM attacks, deploy dynamic ARP inspection (DAI) on the device.

DAI defends against MITM attacks using binding entries. When a device receives an ARP packet, it compares the source IP address, source MAC address, interface information, and VLAN ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you need to manually configure a static binding entry for the user.

Configuration Notes

In V100R006C05, S2700-SI does not support the DHCP snooping function. This example applies to all models in other versions.

Networking Requirements

As shown in Figure 3-245, SwitchA connects to the DHCP server using GE2/0/1, connects to DHCP clients UserA and UserB using GE1/0/1 and GE1/0/2, and connects to UserC configured with a static IP address using GE1/0/3. GE1/0/1, GE1/0/2, GE1/0/3, and GE2/0/1 on SwitchA all belong to VLAN 10. The administrator wants to prevent ARP MITM attacks and theft on authorized user information, and learn the frequency and range of ARP MITM attacks.

Figure 3-245 Networking diagram for defending against ARP MITM attacks

Configuration Roadmap

The configuration roadmap is as follows:
  1. Enable DHCP snooping and configure a static binding entry.
  2. Enable DAI so that SwitchA compares the source IP address, source MAC address, interface information, and VLAN ID of the ARP packet with binding entries. This prevents ARP MITM attacks.

Procedure

  1. Create a VLAN and add interfaces to the VLAN.

    # Create VLAN 10, and add GE1/0/1, GE1/0/2, GE1/0/3, and GE2/0/1 to VLAN 10.

    <HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type access
[SwitchA-GigabitEthernet1/0/1] port default vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 10
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type access
[SwitchA-GigabitEthernet1/0/3] port default vlan 10
[SwitchA-GigabitEthernet1/0/3] quit
[SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] port link-type trunk
[SwitchA-GigabitEthernet2/0/1] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet2/0/1] quit

  2. Configure DHCP snooping.

    # Enable DHCP snooping globally.

    [SwitchA] dhcp enable
[SwitchA] dhcp snooping enable

    # Enable DHCP snooping in VLAN 10.

    [SwitchA] vlan 10
[SwitchA-vlan10] dhcp snooping enable
[SwitchA-vlan10] quit

    # Configure GE2/0/1 as a trusted interface.

    [SwitchA] interface gigabitethernet 2/0/1
[SwitchA-GigabitEthernet2/0/1] dhcp snooping trusted
[SwitchA-GigabitEthernet2/0/1] quit

    # Configure a static binding table.

    [SwitchA] user-bind static ip-address 10.0.0.2 mac-address 00e0-fc12-3456 interface gigabitethernet 1/0/3 vlan 10

  3. Enable DAI.

    # Enable DAI on GE1/0/1, GE1/0/2, and GE1/0/3. GE1/0/1 is used as an example. Configurations of GE1/0/2 and GE1/0/3 are similar to the configuration of GE1/0/1, and are not mentioned here.

    [SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] arp anti-attack check user-bind enable   //Enable dynamic ARP inspection (check ARP packets against a binding table).
[SwitchA-GigabitEthernet1/0/1] quit

  4. Verify the configuration.

    # Run the display arp anti-attack configuration check user-bind interface command to check the DAI configuration on each interface. GE1/0/1 is used as an example.

    [SwitchA] display arp anti-attack configuration check user-bind interface gigabitethernet 1/0/1
 arp anti-attack check user-bind enable

    # Run the display arp anti-attack statistics check user-bind interface command to check the number of ARP packets discarded based on DAI. GE1/0/1 is used as an example.

    [SwitchA] display arp anti-attack statistics check user-bind interface gigabitethernet 1/0/1
 Dropped ARP packet number is 966                                                 
 Dropped ARP packet number since the latest warning is 605

    In the preceding command output, the number of discarded ARP packets on GE1/0/1 is displayed, indicating that the defense against ARP MITM attacks has taken effect.

    When you run the display arp anti-attack statistics check user-bind interface command for multiple times on each interface, the administrator can learn the frequency and range of ARP MITM attacks based on the number of discarded ARP packets.

Configuration File

# Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 10
#
dhcp enable                                                                     
#
dhcp snooping enable                                                            
user-bind static ip-address 10.0.0.2 mac-address 00e0-fc12-3456 interface GigabitEthernet1/0/3 vlan 10
#                                                                               
vlan 10                                                                          
 dhcp snooping enable                                              
#                                                                               
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
#   
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
#
interface GigabitEthernet1/0/3
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
#   
interface GigabitEthernet2/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                   
 dhcp snooping trusted                                                            
#   
return
Translation
Español 日本語 Русский 简体中文
Download
Updated: 2023-10-27

Document ID: EDOC1000069520

Views: 1921494

Downloads: 41823

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Digital Signature File

Digital Signature Authentication Mode
Share
Previous Next

Copyright © 2023 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :