Configuring ARP
Example for Configuring Static ARP
Overview
Static ARP allows a network administrator to create fixed mappings between IP and MAC addresses.
Dynamic ARP can leave networks vulnerable to ARP spoofs or attacks (when malicious devices send falsified ARP messages to link an attacker's MAC address with the IP address of a legitimate device). As a result, ARP entries may be incorrectly learned. However, if a static ARP entry is configured on a device, the device can communicate with the peer device using only the specified MAC address. Network attackers cannot modify the mapping between the IP and MAC addresses using ARP packets, ensuring communication between the two devices.
- Networks contain critical devices such as servers. Network attackers cannot update the ARP entries containing IP addresses of the critical devices on the switch using ARP attack packets, ensuring communication between users and the critical devices.
- Networks contain user devices with multicast MAC addresses. By default, a device does not learn ARP entries when the source MAC addresses of received ARP packets are multicast MAC addresses.
- A network administrator wants to prevent an IP address from accessing devices. The network administrator binds the IP address to an unavailable MAC address.
Configuration Notes
- The number of static ARP entries configured on the device cannot exceed the maximum number of static ARP entries on the device. You can run the display arp statistics all command to check the number of existing ARP entries on the device.
This example applies to all versions of all S series switches.
To view detailed information about software mappings, visit Info-Finder, select a product series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-109, the Switch connects different departments of an enterprise. The departments are added to different VLANs. Fixed IP addresses have been manually assigned to the file backup server and hosts in the president's office, and dynamic IP addresses have been assigned to hosts in other departments using DHCP. Hosts in the marketing department can access the Internet and are often attacked by ARP packets. Attackers attack the Switch and modify dynamic ARP entries on the Switch. As a result, communication between hosts in the president's office and external devices is interrupted and hosts in departments fail to access the file backup server. The company requires that static ARP entries be configured on the Switch so that hosts in the president's office can communicate with external devices and hosts in departments can access the file backup server.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure static ARP entries for hosts in the president's office on the Switch to prevent ARP entries of the hosts in the president's office from being modified by ARP attack packets.
- Configure a static ARP entry for the file backup server on the Switch to prevent the ARP entry of the file backup server from being modified by ARP attack packets.
Procedure
- Create VLANs on the Switch and configure an IP address for each interface.
# Create VLAN 10, add the interfaces to VLAN 10, and configure an IP address for VLANIF 10.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 [Switch] interface gigabitethernet 1/0/1 [Switch-GigabitEthernet1/0/1] port link-type access [Switch-GigabitEthernet1/0/1] port default vlan 10 [Switch-GigabitEthernet1/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.164.1.20 24 [Switch-Vlanif10] quit
# Configure GE1/0/2 as the primary interface and configure an IP address for it.
[Switch] interface gigabitethernet 1/0/2 [Switch-GigabitEthernet1/0/2] undo portswitch [Switch-GigabitEthernet1/0/2] ip address 10.164.10.10 24 [Switch-GigabitEthernet1/0/2] quit
# Configure GE1/0/3 as the primary interface and configure an IP address for it.
[Switch] interface gigabitethernet 1/0/3 [Switch-GigabitEthernet1/0/3] undo portswitch [Switch-GigabitEthernet1/0/3] ip address 10.164.20.1 24 [Switch-GigabitEthernet1/0/3] quit
If the Switch does not support the configuration that uses the undo portswitch command to configure an interface as the primary interface and then configures an IP address for it, configure the interface as a VLANIF interface and then configure an IP address for it.
- Configure static ARP entries on the Switch.
[Switch] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface gigabitethernet 1/0/1 //Configure a static ARP entry for hosts in the president's office [Switch] arp static 10.164.10.1 00e0-fc02-1234 interface gigabitethernet 1/0/2 //Configure a static ARP entry for the file backup server
- Verify the configuration.
# Run the display arp static command to check the configured static ARP entries.
[Switch] display arp static IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN ------------------------------------------------------------------------------ 10.164.1.1 00e0-fc01-0001 S-- GE1/0/1 10/- 10.164.10.1 00e0-fc02-1234 S-- GE1/0/2 40/- ------------------------------------------------------------------------------ Total:2 Dynamic:0 Static:2 Interface:0# Ping the IP address 10.164.20.2/24 of the interface on the Router connecting to the Switch from a host (the IP address is 10.164.1.1/24, using Windows 7 operating system as an example) in the president's office. The ping succeeds.
C:\Documents and Settings\Administrator> ping 10.164.20.2 Pinging 10.164.20.2 with 32 bytes of data: Reply from 10.164.20.2: bytes=32 time=1ms TTL=128 Reply from 10.164.20.2: bytes=32 time=1ms TTL=128 Reply from 10.164.20.2: bytes=32 time=1ms TTL=128 Reply from 10.164.20.2: bytes=32 time=1ms TTL=128 Ping statistics for 10.164.20.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms# Ping the IP address 10.164.10.1/24 of the file backup server from a host (for example, using the IP address 10.164.2.100/24 and Windows 7 operating system) in the marketing department. The ping succeeds.
C:\Documents and Settings\Administrator> ping 10.164.10.1 Pinging 10.164.10.1 with 32 bytes of data: Reply from 10.164.10.1: bytes=32 time=1ms TTL=125 Reply from 10.164.10.1: bytes=32 time=1ms TTL=125 Reply from 10.164.10.1: bytes=32 time=1ms TTL=125 Reply from 10.164.10.1: bytes=32 time=1ms TTL=125 Ping statistics for 10.164.10.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms# Ping the IP address 10.164.10.1/24 of the file backup server from a host (for example, using the IP address 10.164.3.100/24 and Windows 7 operating system) in the R&D department. The ping succeeds.
C:\Documents and Settings\Administrator> ping 10.164.10.1 Pinging 10.164.10.1 with 32 bytes of data: Reply from 10.164.10.1: bytes=32 time=1ms TTL=125 Reply from 10.164.10.1: bytes=32 time=1ms TTL=125 Reply from 10.164.10.1: bytes=32 time=1ms TTL=125 Reply from 10.164.10.1: bytes=32 time=1ms TTL=125 Ping statistics for 10.164.10.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.1.20 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/2
undo portswitch
ip address 10.164.10.10 255.255.255.0
#
interface GigabitEthernet1/0/3
undo portswitch
ip address 10.164.20.1 255.255.255.0
#
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface GigabitEthernet1/0/1
arp static 10.164.10.1 00e0-fc02-1234 interface GigabitEthernet1/0/2
#
return
Example for Configuring Routed Proxy ARP
Overview
When an enterprise network is divided into subnets, two subnets may belong to the same network segment but different physical networks. These two subnets are isolated by the switch. You can modify the routing information about the hosts on the network, so that the data packets destined for other subnets are sent to the gateway connected to different subnets and then forwarded by the gateway to the destination. However, to implement this solution, you must configure routes for all hosts on the subnets. This complicates management and maintenance.
Deploying routed proxy ARP on the gateway can effectively solve the management and maintenance problems in subnet division. Routed proxy ARP allows the communication between the hosts whose IP addresses belong to the same network segment but different physical networks. In addition, the default gateway does not need to be configured on the hosts, facilitating management and maintenance.
Configuration Notes
After routed proxy ARP is enabled on the device, reduce the aging time of ARP entries on hosts. In this way, the invalid ARP entries do not take effect as soon as possible, reducing the number of packets that are sent to but cannot be forwarded by the switch.
- V200R005C00SPC300 and later versions: S2750-EI, S5700-LI, S5700S-LI
- S2700-EI, S2710-SI, S2720-EI, S3700-SI, S3700-EI, S3700-HI
- S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
- S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
- S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table 3-1 in "Applicable Products and Versions" for details.
To view detailed information about software mappings, visit Info-Finder, select a product series or product model, and click Hardware Center.
Networking Requirements
As shown in Figure 3-110, branch A and branch B of the enterprise are located in different cities and their host IP addresses belong to the same network segment 172.16.0.0/16. There are reachable routes between Switch_1 connected to branch A and Switch_2 connected to branch B. Branch A and branch B belong to different broadcast domains; therefore, they cannot communicate on a LAN. Hosts in the branches are not configured with default gateway addresses, so they cannot communicate across network segments. The enterprise requires that branch A and branch B communicate without changing the host configurations.
Configuration Roadmap
The configuration roadmap is as follows:
Add the interface connecting Switch_1 and branch A to VLAN 10 and add the interface connecting Switch_2 and branch B to VLAN 20.
Enable routed proxy ARP on VLANIF interfaces of branch A and branch B to allow the two branches to communicate.
Procedure
- Create VLANs, add interfaces to VLANs, and configure IP addresses for the interfaces.
# Configure Switch_1.
<HUAWEI> system-view [HUAWEI] sysname Switch_1 [Switch_1] vlan batch 10 [Switch_1] interface gigabitethernet 1/0/1 [Switch_1-GigabitEthernet1/0/1] port link-type access [Switch_1-GigabitEthernet1/0/1] port default vlan 10 [Switch_1-GigabitEthernet1/0/1] quit [Switch_1] interface vlanif 10 [Switch_1-Vlanif10] ip address 172.16.1.1 24
# Configure Switch_2.
<HUAWEI> system-view [HUAWEI] sysname Switch_2 [Switch_2] vlan batch 20 [Switch_2] interface gigabitethernet 1/0/1 [Switch_2-GigabitEthernet1/0/1] port link-type access [Switch_2-GigabitEthernet1/0/1] port default vlan 20 [Switch_2-GigabitEthernet1/0/1] quit [Switch_2] interface vlanif 20 [Switch_2-Vlanif20] ip address 172.16.2.1 24
- Configure routed proxy ARP.
# Configure Switch_1.
[Switch_1-Vlanif10] arp-proxy enable //Configure routed proxy ARP [Switch_1-Vlanif10] quit
# Configure Switch_2.
[Switch_2-Vlanif20] arp-proxy enable //Configure routed proxy ARP [Switch_2-Vlanif20] quit
- Verify the configuration.
# Check ARP entries of VLANIF 10 on Switch_1. The command output shows the MAC address mapping the IP address of VLANIF 10.
[Switch_1] display arp interface vlanif 10 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN ------------------------------------------------------------------------------ 172.16.1.1 00e0-fc12-3456 I - Vlanif10 ------------------------------------------------------------------------------ Total:1 Dynamic:0 Static:0 Interface:1
# Select Host_1 (using Windows 7 as an example) at 172.16.1.2/16 in branch A and select Host_2 at 172.16.2.2/16 in branch B. Ping the IP address of Host_2 on Host_1. The ping operation is successful.
C:\Documents and Settings\Administrator> ping 172.16.2.2 Pinging 172.16.2.2 with 32 bytes of data: Reply from 172.16.2.2: bytes=32 time<1ms TTL=128 Reply from 172.16.2.2: bytes=32 time<1ms TTL=128 Reply from 172.16.2.2: bytes=32 time<1ms TTL=128 Reply from 172.16.2.2: bytes=32 time<1ms TTL=128 Ping statistics for 172.16.2.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms# Check the ARP table on Host_1. The command output shows that the MAC address mapping the IP address of Host_2 is the MAC address of VLANIF 10 on Switch_1, indicating that Host_1 and Host_2 can communicate with each other through ARP proxy.
C:\Documents and Settings\Administrator> arp -a Interface: 172.16.1.2 --- 0xd Internet Address Physical Address Type 172.16.2.2 00e0-fc12-3456 dynamic ...
Configuration Files
Switch_1 configuration file
# sysname Switch_1 # vlan batch 10 # interface Vlanif10 ip address 172.16.1.1 255.255.255.0 arp-proxy enable # interface GigabitEthernet1/0/1 port link-type access port default vlan 10 # returnSwitch_2 configuration file
# sysname Switch_2 # vlan batch 20 # interface Vlanif20 ip address 172.16.2.1 255.255.255.0 arp-proxy enable # interface GigabitEthernet1/0/1 port link-type access port default vlan 20 # return