No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
The Gateway Address Is Maliciously Changed

The Gateway Address Is Maliciously Changed

Common Causes

This fault is commonly caused by one of the following:

  • An attacker sends bogus gratuitous ARP packets to users. Users change their gateway address after receiving the gratuitous ARP packets.
  • An attacker sends bogus ICMP unreachable packets or ICMP redirect packets to users.

Troubleshooting Flowchart

An attacker sends gratuitous ARP packets with the source IP address being the IP address of the gateway on the LAN. After receiving the gratuitous ARP packets, hosts on the LAN change their gateway MAC address to the MAC address of the attacker. As a result, the hosts cannot access the network.

Figure 22-9 shows the troubleshooting flowchart.

Figure 22-9  Troubleshooting flowchart for gateway address spoofing

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct the fault, you will have a record of your actions to provide Huawei technical support personnel.

Procedure

  1. Check that the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 functions as the gateway. If the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 is not the gateway, the gateway anti-collision function does not take effect.

    You can use either of the following methods to check whether the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 is the gateway:

    • Run the display arp command to view the type of the ARP entry corresponding to the gateway IP address.

      If the ARP entry type is displayed as I-, the gateway IP address is an interface address on the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600.

      <Huawei> display arp
      IP ADDRESS   MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE
                                                VLAN/CEVLAN
      ------------------------------------------------------------------------------
      1.1.1.1      0022-0033-0044            I -         Vlanif10  
    • Run the display ip routing-table gateway address command to check whether a route to the gateway address exists.

      If a route to the gateway address is displayed in the command output, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 is the gateway.

      <Huawei> display ip routing-table 1.1.1.1 (gateway address)
      Route Flags: R - relay, D - download to fib
      ---------------------------------------------------------------------
      Routing Table : Public
      Summary Count : 1
      
      Destination/Mask    Proto  Pre  Cost   Flags NextHop      Interface
      
      1.1.1.1/24          Direct 0    0       D    127.0.0.1    Loopback0
      

    If the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 is not the gateway, configure it as the user gateway.

  2. Run the display arp anti-attack configuration gateway-duplicate command to check that ARP gateway anti-collision is enabled.

    If ARP gateway anti-collision is not enabled, run the arp anti-attack gateway-duplicate enable command to enable this function.

  3. Run the display current-configuration command to check whether the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 is enabled to send gratuitous ARP packets.

    • When the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 functions as a gateway, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 needs to send gratuitous ARP packets so that users can periodically update the ARP entry of the gateway. To enable the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 to send gratuitous ARP packets, use the arp gratuitous-arp send enable command in the system view or VLANIF interface view.

    • By default, the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 sends a gratuitous ARP packet every 90 seconds after this function is enabled. You can set the interval by using the arp gratuitous-arp send interval command.

    • If the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 has been enabled to send gratuitous ARP packets, go to step 4.

  4. Run the display arp anti-attack gateway-duplicate item command to check the anti-collision entries.

    • If an entry is displayed, you can view it to find the IP address, MAC address, and source interface of the attacker. Add the attacker to the blacklist or configure a blackhole MAC entry according to attacker information. Subsequently, packets from the attacker will be discarded.

    • If no entry is displayed, go to step 5.

  5. Collect the following information and contact technical support personnel:

    • Results of the preceding troubleshooting procedure
    • Configuration file, log file, and alarm file of the AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 446742

Downloads: 4301

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next