No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Users Connected to an AR2240 Intermittently Fail to Access the Internet Due to an ARP Attack

Users Connected to an AR2240 Intermittently Fail to Access the Internet Due to an ARP Attack

Keywords

ARP attack, AR, connected users, intermittently, failed to access the Internet

Abstract

When an ARP attack occurs, users connected to an AR2240 intermittently fail to access the Internet.

Problem Description

Figure 28-3  Users fail to access the Internet

As shown in Figure 1-1, the users of a department access the Internet through an AR2240. Users connected to AR routers (Router_1 to Router_5) obtain IP addresses through DHCP. The IP addresses of these AR routers belong to two network segments: 10.20.1.0/16 and 10.20.3.0/16.

Fault symptom: The users on the internal network segments connected to the AR2240 cannot access the Internet sometimes.

Procedure

  1. Run the display cpu-defend statistics command on the AR2240 to view statistics on the packets sent to the CPU.

    <AR2240> display cpu-defend statistics 
    --------------------------------------------------------------     Packet Type  Pass Packets   Drop Packets 
    --------------------------------------------------------------    8021X           0              0
    arp-miss       5744            0
    arp-reply      3903            0
    arp-request   448252         1390
    bfd              0             0 

    The preceding information shows that packets are lost on the AR2240.

  2. Run the display trapbuffer command on the AR2240 to view information in the trap buffer of the information center.

    <AR2240> display trapbuffer 
    ..... 
    #Dec9 2014 10:09:34+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=10.20.3.131, Local interface=
    GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dc1, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
    #Dec9 2014 10:01:44+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=10.20.3.130, Local interface=
    GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dbb, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
    #Dec9 2014 09:49:28+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=10.20.3.131, Local interface=
    GigabitEthernet0/0/1, Local MAC=0017-59de-b688, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=78a1-067c-7dc1, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict).
    #Dec9 2014 09:34:04+00:00 253_HW_AR2240 ARP/4/ARP_IPCONFLICT_TRAP:OID 1.3.6.1.4.1.2011.5.25.123.2.6 ARP detects IP conflict. (IP address=10.20.3.133, Local interface=
    GigabitEthernet0/0/1, Local MAC=7427-eae4-275b, Local vlan=0, Local CE vlan=0, Receive interface=GigabitEthernet0/0/1, Receive MAC=0017-59de-b688, Receive vlan=0, Receive CE vlan=0, IP conflict type=Remote IP conflict). 

    The preceding information shows an ARP conflict. In the four conflicting ARP entries, three has the same source MAC address 0017-59de-b688.

  3. Run the display arp all command to view ARP table information.

    <AR2240> display arp all 
    IP ADDRESS  MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN PVC
    10.20.1.107   0014-5e7a-75b4 20  D-0  GE0/0/1
    10.20.3.121   0017-59de-b688 2   D-0  GE0/0/1
    10.20.1.112   cc34-2999-9bbf 17  D-0  GE0/0/1
    10.20.3.120   7427-eae4-275b 20  D-0  GE0/0/1
    10.20.1.109   0014-5e19-a483 13  D-0  GE0/0/1
    10.20.1.199   d815-0d38-3d3d 3   D-0  GE0/0/1
    10.20.1.101   0014-5e7a-7574 19  D-0  GE0/0/1
    10.20.1.206   0022-3fa5-b237 4   D-0  GE0/0/1
    10.20.3.6     0017-59de-b688 18  D-0  GE0/0/1
    10.20.1.6     90fb-a61e-13e5 16  D-0  GE0/0/1
    10.20.1.233   7427-ea3d-e4ef 20  D-0  GE0/0/1
    10.20.1.130   0060-6e9a-0d23 2   D-0  GE0/0/1
    10.20.1.50    4437-e676-91aa 2   D-0  GE0/0/1
    10.20.3.130   0017-59de-b688 17  D-0  GE0/0/1
    10.20.3.132   0021-272e-eb43 14  D-0  GE0/0/1
    10.20.3.131   0017-59de-b688 5   D-0  GE0/0/1
    10.20.3.133   0017-59de-b688 10  D-0  GE0/0/1 

    The preceding information shows that the internal network segments have undergone an ARP attack, and the attack source MAC address is 0017-59de-b688.

  4. Check whether this source MAC address belongs to a router on the internal network segments.

    The source MAC address does not belong to a router on the internal network segments.

  5. Trace the source MAC address 0017-59de-b688.

    The core switch and floor switches cannot be managed, so the location of MAC address 0017-59de-b688 cannot be found.

  6. Configure Layer 2 ARP packet filtering on GE0/0/1 of AR2240 to prevent the packets from source MAC address 0017-59de-b688.

    [AR2240]acl number 4444
    [AR2240-acl-L2-4444]rule 5 deny l2-protocol arp source-mac 0017-59de-b688 
    [AR2240]interface gigabitethernet 0/0/1
    [AR2240-GigabitEthernet0/0/1]traffic-filter inbound acl 4444

Root Cause

The ARP attack source is located on the internal network segments, occupying network access resources of users. As a result, internal network users intermittently fail to access the Internet.

Solution

On internal networks, most attacks are initiated using Layer 2 protocol packets. ARP packets are widely used by attackers to prevent users from accessing the Internet. The most commonly used ARP attack defense methods include:

  • Strict ARP learning: The device learns ARP entries for only the ARP Reply packets in response to the ARP Request packets sent by itself. To enable strict ARP learning globally, run the arp learning strict command.
  • ARP gateway anti-collision: Users cannot pretend to be the gateway to prevent other users from accessing the Internet. To enable ARP gateway anti-collision globally, run the arp anti-attack gateway-duplicate enable command.
  • Actively sending gratuitous ARP packets: The device actively sends gratuitous ARP packets to periodically the gateway MAC address in user ARP entries. This function ensures that user packets can reach the gateway and will not be intercepted by attackers. To configure the device to actively send gratuitous ARP packets, run the arp gratuitous-arp send enable command. By default, the device sends a gratuitous ARP packet every 90s.
Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 447963

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next