No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Defense Against ARP MITM Attacks

Example for Configuring Defense Against ARP MITM Attacks

Networking Requirements

As shown in Figure 10-10, the users of a department access the Internet through RouterA. Among the users connected to RouterA, some users obtain IP addresses through DHCP and some users are allocated static IP addresses. All users are in the same VLAN as the DHCP server. If attackers initiate MITM attacks, the data of authorized users will leak; therefore, the administrator requires that RouterA can prevent MITM attacks and record the frequency and range of MITM attacks.

Figure 10-10  Networking diagram for defending against ARP MITM attacks

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure port isolation on RouterA to prevent ARP packet broadcast in the same VLAN and ensure that the ARP packets can be sent to the CPU for check. After the configuration is performed, the users in the department are isolated at Layer 2. To ensure Layer 3 communication between users, the proxy ARP function needs to be configured.
  2. Configure the DHCP snooping function so that RouterA can generate the address and port binding entries for dynamic users and the binding entries can be manually configured for static users. These binding entries are used for ARP packet validity check.
  3. Enable DAI so that RouterA compares the source IP address, source MAC address, VLAN ID, and interface number of the ARP packet with DHCP snooping binding entries and filter out invalid packets. This prevents ARP MITM attacks.
  4. Enable the alarm function for the ARP packets discarded by DAI so that RouterA collects statistics on ARP packets matching no binding entry and generates alarms when the number of discarded ARP packets exceeds the alarm threshold. The administrator learns the frequency and range of the current ARP MITM attacks based on the alarms and the number of discarded ARP packets.

Procedure

  1. Create a VLAN and add interfaces to the VLAN.

    # Create VLAN 10, and add Eth2/0/1, Eth2/0/2, Eth2/0/3, and Eth2/0/4 to VLAN 10. Configure an IP address for VLANIF10.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] vlan batch 10
    [RouterA] interface ethernet 2/0/1
    [RouterA-Ethernet2/0/1] port link-type access
    [RouterA-Ethernet2/0/1] port default vlan 10
    [RouterA-Ethernet2/0/1] quit
    [RouterA] interface ethernet 2/0/2
    [RouterA-Ethernet2/0/2] port link-type access
    [RouterA-Ethernet2/0/2] port default vlan 10
    [RouterA-Ethernet2/0/2] quit
    [RouterA] interface ethernet 2/0/3
    [RouterA-Ethernet2/0/3] port link-type access
    [RouterA-Ethernet2/0/3] port default vlan 10
    [RouterA-Ethernet2/0/3] quit
    [RouterA] interface ethernet 2/0/4
    [RouterA-Ethernet2/0/4] port link-type trunk
    [RouterA-Ethernet2/0/4] port trunk allow-pass vlan 10
    [RouterA-Ethernet2/0/4] quit
    [RouterA] interface vlanif 10
    [RouterA-Vlanif10] ip address 10.0.0.1 255.255.255.0
    [RouterA-Vlanif10] quit
    

  2. Configure the port isolation and proxy ARP functions.

    # Configure port isolation on Eth2/0/1, Eth2/0/2, and Eth2/0/3. Eth2/0/1 is used as an example. Configurations of other interfaces are similar to the configuration of Eth2/0/1, and are not mentioned here.

    [RouterA] interface ethernet 2/0/1
    [RouterA-Ethernet2/0/1] port-isolate enable
    [RouterA-Ethernet2/0/1] quit
    

    # All users are in VLAN 10; therefore, configure proxy ARP on VLANIF 10.

    [RouterA] interface vlanif 10
    [RouterA-Vlanif10] arp-proxy inner-sub-vlan-proxy enable
    [RouterA-Vlanif10] quit
    

  3. Configure DHCP snooping.

    # Enable DHCP snooping globally.

    [RouterA] dhcp enable
    [RouterA] dhcp snooping enable
    

    # Enable DHCP snooping in VLAN 10.

    [RouterA] vlan 10
    [RouterA-vlan10] dhcp snooping enable
    [RouterA-vlan10] quit
    

  4. Configure a static binding table.

    [RouterA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface ethernet 2/0/3 vlan 10
    

  5. Enable DAI and the packet discarding alarm function.

    # Enable DAI and packet discarding alarm function on Eth2/0/1, Eth2/0/2, and Eth2/0/3. Eth2/0/1 is used as an example. Configurations of other interfaces are similar to the configuration of Eth2/0/1, and are not mentioned here.

    [RouterA] interface ethernet 2/0/1
    [RouterA-Ethernet2/0/1] arp anti-attack check user-bind enable
    [RouterA-Ethernet2/0/1] arp anti-attack check user-bind alarm enable
    [RouterA-Ethernet2/0/1] quit
    

  6. Verify the configuration.

    # Run the display arp anti-attack check user-bind interface command to check the DAI configuration on each interface. Eth2/0/1 is used as an example.

    [RouterA] display arp anti-attack check user-bind interface ethernet 2/0/1
     arp anti-attack check user-bind enable                                         
     arp anti-attack check user-bind alarm enable                                   
     ARP packet drop count = 966                                                      

    In the preceding command output, the number of discarded ARP packets on Eth2/0/1 is displayed, indicating that the defense against ARP MITM attacks has taken effect.

    When you run the display arp anti-attack check user-bind interface command for multiple times on each interface, the administrator can learn the frequency and range of ARP MITM attacks based on the value of ARP packet drop count.

Configuration File

Configuration file of RouterA

#
sysname RouterA
#
vlan batch 10
#
dhcp enable                                                                     
#                                                                               
dhcp snooping enable                                                            
user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface Ethernet2/0/3 vlan 10
#                                                                               
vlan 10                                                                          
 dhcp snooping enable                                              
#                                                                               
interface Vlanif10                                                                 
 ip address 10.0.0.1 255.255.255.0                                                 
 arp-proxy inner-sub-vlan-proxy enable                                           
# 
interface Ethernet2/0/1
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
 port-isolate enable group 1
#   
interface Ethernet2/0/2
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
 port-isolate enable group 1
#
interface Ethernet2/0/3
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
 port-isolate enable group 1
#   
interface Ethernet2/0/4
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                   
#   
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 13696

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next