No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Typical Configuration Examples

This document provides examples for configuring features in typical usage scenarios.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Defense Against ARP MITM Attacks

Example for Configuring Defense Against ARP MITM Attacks

DAI Overview

Address Resolution Protocol (ARP) security protects network devices against ARP attacks by learning ARP entries, limiting ARP packet rate, and checking ARP packets. In addition to preventing ARP protocol attacks, ARP security also prevents ARP-based network scanning attacks.

Man-in-the-middle (MITM) attack is a frequently launched ARP attack. The attacker functions as the "man in the middle" to intercept data.

To defend against MITM attacks, deploy dynamic ARP inspection (DAI) on the device.

DAI defends against MITM attacks using binding entries. When a device receives an ARP packet, it compares the source IP address, source MAC address, interface information, and VLAN ID of the ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet matches no binding entry, the device considers the ARP packet invalid and discards the packet.

NOTE:

The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you need to manually configure a static binding entry for the user.

Configuration Notes

In V100R006C05, S2700SI does not support the DHCP snooping function. This example applies to all models in other versions.

Networking Requirements

As shown in Figure 15-11, SwitchA connects to the DHCP server using GE2/0/1, connects to DHCP clients UserA and UserB using GE1/0/1 and GE1/0/2, and connects to UserC configured with a static IP address using GE1/0/3. GE1/0/1, GE1/0/2, GE1/0/3, and GE2/0/1 on SwitchA all belong to VLAN 10. The administrator wants to prevent ARP MITM attacks and theft on authorized user information, and learn the frequency and range of ARP MITM attacks.

Figure 15-11  Networking diagram for defending against ARP MITM attacks

Configuration Roadmap

The configuration roadmap is as follows:
  1. Enable DHCP snooping and configure a static binding entry.
  2. Enable DAI so that SwitchA compares the source IP address, source MAC address, interface information, and VLAN ID of the ARP packet with binding entries. This prevents ARP MITM attacks.

Procedure

  1. Create a VLAN and add interfaces to the VLAN.

    # Create VLAN 10, and add GE1/0/1, GE1/0/2, GE1/0/3, and GE2/0/1 to VLAN 10.

    <HUAWEI> system-view
    [HUAWEI] sysname SwitchA
    [SwitchA] vlan batch 10
    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] port link-type access
    [SwitchA-GigabitEthernet1/0/1] port default vlan 10
    [SwitchA-GigabitEthernet1/0/1] quit
    [SwitchA] interface gigabitethernet 1/0/2
    [SwitchA-GigabitEthernet1/0/2] port link-type access
    [SwitchA-GigabitEthernet1/0/2] port default vlan 10
    [SwitchA-GigabitEthernet1/0/2] quit
    [SwitchA] interface gigabitethernet 1/0/3
    [SwitchA-GigabitEthernet1/0/3] port link-type access
    [SwitchA-GigabitEthernet1/0/3] port default vlan 10
    [SwitchA-GigabitEthernet1/0/3] quit
    [SwitchA] interface gigabitethernet 2/0/1
    [SwitchA-GigabitEthernet2/0/1] port link-type trunk
    [SwitchA-GigabitEthernet2/0/1] port trunk allow-pass vlan 10
    [SwitchA-GigabitEthernet2/0/1] quit
    

  2. Configure DHCP snooping.

    # Enable DHCP snooping globally.

    [SwitchA] dhcp enable
    [SwitchA] dhcp snooping enable
    

    # Enable DHCP snooping in VLAN 10.

    [SwitchA] vlan 10
    [SwitchA-vlan10] dhcp snooping enable
    [SwitchA-vlan10] quit
    

    # Configure GE2/0/1 as a trusted interface.

    [SwitchA] interface gigabitethernet 2/0/1
    [SwitchA-GigabitEthernet2/0/1] dhcp snooping trusted
    [SwitchA-GigabitEthernet2/0/1] quit
    

    # Configure a static binding table.

    [SwitchA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface gigabitethernet 1/0/3 vlan 10
    

  3. Enable DAI.

    # Enable DAI on GE1/0/1, GE1/0/2, and GE1/0/3. GE1/0/1 is used as an example. Configurations of GE1/0/2 and GE1/0/3 are similar to the configuration of GE1/0/1, and are not mentioned here.

    [SwitchA] interface gigabitethernet 1/0/1
    [SwitchA-GigabitEthernet1/0/1] arp anti-attack check user-bind enable   //Enable dynamic ARP inspection (check ARP packets against a binding table).
    [SwitchA-GigabitEthernet1/0/1] quit
    

  4. Verify the configuration.

    # Run the display arp anti-attack configuration check user-bind interface command to check the DAI configuration on each interface. GE1/0/1 is used as an example.

    [SwitchA] display arp anti-attack configuration check user-bind interface gigabitethernet 1/0/1
     arp anti-attack check user-bind enable
    

    # Run the display arp anti-attack statistics check user-bind interface command to check the number of ARP packets discarded based on DAI. GE1/0/1 is used as an example.

    [SwitchA] display arp anti-attack statistics check user-bind interface gigabitethernet 1/0/1
     Dropped ARP packet number is 966                                                 
     Dropped ARP packet number since the latest warning is 605
    

    In the preceding command output, the number of discarded ARP packets on GE1/0/1 is displayed, indicating that the defense against ARP MITM attacks has taken effect.

    When you run the display arp anti-attack statistics check user-bind interface command for multiple times on each interface, the administrator can learn the frequency and range of ARP MITM attacks based on the number of discarded ARP packets.

Configuration File

# Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 10
#
dhcp enable                                                                     
#
dhcp snooping enable                                                            
user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface GigabitEthernet1/0/3 vlan 10
#                                                                               
vlan 10                                                                          
 dhcp snooping enable                                              
#                                                                               
interface GigabitEthernet1/0/1
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
#   
interface GigabitEthernet1/0/2
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
#
interface GigabitEthernet1/0/3
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
#   
interface GigabitEthernet2/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                   
 dhcp snooping trusted                                                            
#   
return
Download
Updated: 2019-04-20

Document ID: EDOC1000069520

Views: 662855

Downloads: 29849

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next