No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ARP Security

Configuring ARP Security

This section describes the procedures for configuring ARP security.

Configuring Defense Against ARP Flood Attacks

Configuring defense against ARP flood attacks prevents ARP entries from being exhausted and CPU overload, ensures user communication.

Pre-configuration Tasks

Before configuring defense against ARP flood attacks, complete the following task:

  • Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Configuration Process

Operations in the configuration process can be performed in any sequence as required.

NOTE:

When rate limit on ARP packets is configured globally or on an interface and rate limit on ARP packets based on the source MAC address or source IP address is also configured, the smallest rate is used.

When rate limit on ARP Miss messages is configured globally or on an interface and rate limit on ARP Miss messages based on the source MAC address or source IP address is also configured, the smallest rate is used.

Configuring Rate Limit on ARP Packets based on the Source MAC Address

Context

When processing a large number of ARP packets with fixed source MAC addresses but variable IP addresses, the CPU is overloaded and ARP entries are exhausted.

To prevent this problem, limit the rate of ARP packets based on the source MAC address. The device collects statistics on ARP packets from a specified source MAC address. If the number of ARP packets from the specified source IP address in 1 second exceeds the threshold, the device discards the excess ARP packets.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configuring rate limit on ARP packets based on the source MAC address

    • Run:

      arp speed-limit source-mac maximum maximum

      The maximum rate of ARP packets from a source MAC address is set

    • Run:

      arp speed-limit source-mac mac-address maximum maximum

      The maximum rate of ARP packets from a specified source MAC address is set.

    When the preceding configurations are both performed, the maximum rate set using the arp speed-limit source-mac mac-address maximum maximum command takes effect on ARP packets from the specified source MAC address, and the maximum rate set using the arp speed-limit source-mac maximum maximum command takes effect on ARP packets from other source MAC addresses.

    By default, the maximum rate of ARP packets from each source MAC address is set to 0, that is, the rate of ARP packets is not limited based on the source MAC address.

Configuring Rate Limit on ARP Packets based on the Source IP Address

Context

When processing a large number of ARP packets with fixed IP addresses, the CPU is overloaded and cannot process other services.

To prevent this problem, limit the rate of ARP packets based on the source IP address. The device collects statistics on ARP packets from a specified source IP address. If the number of ARP packets from the specified source IP address in 1 second exceeds the threshold, the device discards the excess ARP packets.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configuring rate limit on ARP packets based on the source IP address

    • Run:

      arp speed-limit source-ip maximum maximum

      The maximum rate of ARP packets from a source IP address is set.

    • Run:

      arp speed-limit source-ip ip-address maximum maximum

      The maximum rate of ARP packets from a specified source IP address is set.

    When the preceding configurations are both performed, the maximum rate set using the arp speed-limit source-ip ip-address maximum maximum command takes effect on ARP packets from the specified source IP address, and the maximum rate set using the arp speed-limit source-ip maximum maximum command takes effect on ARP packets from other source IP addresses.

    By default, the device allows a maximum of 5 ARP packets from the same source IP address to pass through in 1 second.

Configuring Rate Limit on ARP Packets (Globally or on an Interface)

Context

The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.

After rate limit on ARP packets is enabled, set the maximum rate and rate limit duration of ARP packets globally or on an interface. In the rate limit duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.
  • Limiting the rate of ARP packets globally: limits the number of ARP packets to be processed by the system. When an ARP attack occurs, the device limits the rate of ARP packets globally.

  • Limiting the rate of ARP packets on an interface: limits the number of ARP packets to be processed on an interface. The configuration on an interface does not affect ARP entry learning on other interfaces.

If the maximum rate and rate limit duration are set globally or on an interface at the same time, the configurations on an interface and globally take effect in descending order of priority.

If you want that the device can generate alarms to notify the network administrator of a large number of discarded excess ARP packets, enable the alarm function. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

NOTE:

If the alarm function is enabled, you need to run the arp anti-attack log-trap-timer time command to set the interval for sending alarms.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Run:

    interface interface-type interface-number

    The interface view is displayed.

    NOTE:

    If you configure rate limit on ARP packets in the system view, skip this step.

  3. Run:

    arp anti-attack rate-limit enable

    Rate limit on ARP packets is enabled.

    By default, rate limit on ARP packet is disabled.

  4. Run:

    arp anti-attack rate-limit packet-number [ interval-value ]

    The maximum rate and rate limit duration of ARP packets are set.

    By default, a maximum of 100 ARP packets are allowed to pass in 1 second.

  5. (Optional) Run:

    arp anti-attack rate-limit alarm enable

    The alarm function for discarded ARP packets when the rate of ARP Miss packets exceeds the limit is enabled.

    By default, the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit is disabled.

  6. (Optional) Run:

    arp anti-attack rate-limit alarm threshold threshold

    The alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is set.

    By default, the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is 100.

Configuring Rate Limit on ARP Miss Messages based on the Source IP Address

Context

If the number of ARP Miss messages triggered by IP packets from a source IP address in 1 second exceeds the limit, the device considers that an attack is initiated from the source IP address.

The administrator can set the maximum number of ARP Miss messages that the device can process within a specified duration based on the actual network environment, protecting the system resources and ensuring proper running of other services.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Configuring rate limit on ARP Miss messages based on the source IP address

    • Run:
      arp-miss speed-limit source-ip maximum maximum

      The maximum rate of ARP Miss messages from a specified source IP address is set.

    • Run:
      arp-miss speed-limit source-ip ip-address maximum maximum

      The maximum rate of ARP Miss messages triggered by IP packets from a specified source IP address is set.

    When the preceding configurations are both performed, the maximum rate set using the arp-miss speed-limit source-ip ip-address maximum maximum command takes effect on ARP Miss messages triggered IP packets from the specified source IP address, and the maximum rate set using the arp-miss speed-limit source-ip maximum maximum command takes effect on ARP Miss messages triggered by IP packets from other source IP addresses.

    If the maximum rate of ARP Miss messages is set to 0, the rate of ARP Miss messages is not limited based on the source IP address. By default, the device processes a maximum of 5 ARP Miss messages triggered by IP packets from the same source IP address in 1 second.

Configuring Rate Limit on ARP Miss Messages Globally

Context

If a host sends a large number of IP packets with unresolvable destination IP addresses to attack a device, that is, if the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route, the device triggers a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the master control board for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

To avoid the preceding problems, configure rate limit on ARP Miss messages.

If you want that the device can generate alarms to notify the network administrator of a large number of discarded excess ARP Miss messages, enable the alarm function. When the number of discarded ARP Miss messages exceeds the alarm threshold, the device generates an alarm.

NOTE:

If the alarm function is enabled, you need to run the arp anti-attack log-trap-timer time command to set the interval for sending alarms.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    arp-miss anti-attack rate-limit enable

    Rate limit on ARP Miss messages is enabled.

    By default, rate limit on ARP Miss messages is disabled.

  3. Run:

    arp-miss anti-attack rate-limit packet-number [ interval-value ]

    The maximum rate and rate limit duration of ARP Miss messages are set.

    By default, the device can process a maximum of 100 ARP Miss messages in 1 second.

  4. (Optional) Run:

    arp-miss anti-attack rate-limit alarm enable

    The alarm function for discarded ARP Miss messages when the rate of ARP Miss packets exceeds the limit is enabled.

    By default, the alarm function is disabled.

  5. (Optional) Run:

    arp-miss anti-attack rate-limit alarm threshold threshold

    The alarm threshold for ARP Miss messages discarded when the rate of ARP Miss messages exceeds the limit is set.

    By default, the alarm threshold is 100.

Setting the Aging Time of Temporary ARP Entries

Context

When IP packets trigger ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
  • In the aging time of temporary ARP entries:
    • An IP packet that is received before the ARP Reply packet and matches a temporary ARP entry is discarded and triggers no ARP Miss message.
    • After receiving the ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • When temporary ARP entries age out, the device clears them. If no ARP entry matches the IP packets forwarded by the device, ARP Miss messages are triggered again and temporary ARP entries are regenerated. This process continues.

You can limit the rate of ARP Miss messages by setting the aging time of temporary ARP entries. When ARP Miss attacks occur on the device, you can extend the aging time of temporary ARP entries to reduce the frequency of triggering ARP Miss messages so that the impact on the device is minimized.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

    The interface type can be GEor VLANIF.

  3. Run:

    arp-fake expire-time expire-time

    The aging time of temporary ARP entries is set.

    By default, the aging time of temporary ARP entries is 1 second.

Configuring Strict ARP Learning

Context

If many users send a large number of ARP packets to a device at the same time, or attackers send bogus ARP packets to the device, the following problems occur:
  • Many CPU resources are consumed to process a large number of ARP packets. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • Bogus ARP packets modify ARP entries on the device. As a result, authorized users cannot communicate.

To avoid the preceding problems, configure the strict ARP learning function on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks.

Strict ARP learning can be configured in globally or in the interface view.

  • If strict ARP learning is enabled globally, all interfaces on the device learn ARP entries strictly.
  • If strict ARP learning is enabled in the interface view, only the interface learns ARP entries strictly.

When strict ARP learning is enabled globally and in the interface view simultaneously, the configuration on the interface takes precedence over the global configuration.

NOTE:
When strict ARP learning is enabled globally:
  • If you run the arp learning strict force-disable command on a specified interface, strict ARP learning is forced to be disabled on the interface.
  • If you run the arp learning strict trust command on a specified interface, strict ARP learning configured globally takes effect on the interface.

Procedure

  • Configuring strict ARP learning globally
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      arp learning strict

      Strict ARP learning is enabled globally.

      By default, strict ARP learning is disabled.

  • Configuring strict ARP learning on the interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      arp learning strict { force-enable | force-disable | trust }

      Strict ARP learning on the interface is enabled.

      By default, strict ARP learning is disabled on the interface.

Configuring Interface-based ARP Entry Limit

Context

To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of the ARP entries learned by a specified interface reaches the maximum number, no dynamic ARP entry can be added.

Procedure

  • Configuring ARP entry limiting on the Ethernet interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum

      ARP entry limit on the Ethernet interface is configured.

  • Configuring ARP entry limit on the VLANIF interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface vlanif vlan-id

      The VLANIF interface view is displayed.

    3. Run:

      arp-limit maximum maximum

      ARP entry limit on the VLANIF interface is configured.

Checking the Configuration

Procedure

  • Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit | arp-speed-limit | arpmiss-speed-limit | entry-check | packet-check | all } command to check the ARP anti-attack configuration.

  • Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to check the maximum number of ARP entries that an interface can learn.
  • Run the display arp learning strict command to check strict ARP learning globally and on all VLANIF interfaces.

Configuring Defense Against ARP Spoofing Attacks

An attacker sends bogus ARP packets to the device or host on a network. The device or hosts modify their ARP entries, leading to packet forwarding failures.

Pre-configuration Tasks

Before configuring defense against ARP spoofing attacks, complete the following task:

  • Connecting interfaces and setting physical parameters for the interfaces to ensure that the physical status of the interfaces is Up
Configuration Process

Operations in the configuration process can be performed in any sequence as required.

Configuring ARP Entry Fixing

Context

To defend against ARP address spoofing attacks, configure ARP entry fixing. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:
  • fixed-mac mode: When receiving an ARP packet, the device discards the packet if the MAC address does not match that in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry. This mode applies to networks that use static IP addresses and have redundant links. When services are switched on the link, the ARP interface can change rapidly.
  • fixed-all mode: When the MAC address, interface number, and VLAN ID of an ARP packet match those in the corresponding ARP entry, the device updates other information about the ARP entry. This mode applies to networks that use static IP addresses and have no redundant link, and the scenario where users with the same IP address access the device using the same interface.
  • send-ack mode: When the device receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user. This mode applies to networks that use dynamic IP addresses and have redundant links.

Procedure

  1. Configure ARP entry fixing globally
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

      ARP entry fixing is enabled.

      By default, ARP entry fixing is disabled.

Configuring Gratuitous ARP Packet Sending

Context

If an attacker forges the gateway address to send ARP packets to other hosts, ARP entries on the hosts record the incorrect gateway address. As a result, the gateway cannot receive data sent from the hosts. You can enable gratuitous ARP packet sending on the gateway. Then the gateway sends gratuitous ARP packets at intervals to update the ARP entries of authorized users so that the ARP entries contain the correct MAC address of the gateway.

You can configure gratuitous ARP packet sending globally or on a VLANIF interface.
  • If gratuitous ARP packet sending is enabled globally, all interfaces have this function enabled by default.
  • If gratuitous ARP packet sending is enabled globally and on a VLANIF interface simultaneously, the configuration on the VLANIF interface takes precedence over the global configuration.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. (Optional) Run:

    interface vlanif vlan-id

    The VLANIF interface view is displayed.

    NOTE:

    If you configure gratuitous ARP packet sending in the system view, skip this step.

  3. Run:

    arp gratuitous-arp send enable

    Gratuitous ARP packet sending is enabled.

    By default, gratuitous ARP packet sending is disabled.

  4. (Optional) Run:

    arp gratuitous-arp send interval interval-time

    The interval for sending gratuitous ARP packets is set.

    By default, the interval for sending gratuitous ARP packets is 90 seconds.

Configuring MAC address Consistency Check in an ARP Packet

Context

This function defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header.

This function enables the gateway to check the MAC address consistency in an ARP packet before ARP learning. If the source and destination MAC addresses in an ARP packet are different from those in the Ethernet frame header, the device discards the packet as an attack. If the source and destination MAC addresses in an ARP packet are the same as those in the Ethernet frame header, the device performs ARP learning.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    arp validate { source-mac | destination-mac }*

    MAC address consistency check in an ARP packet is enabled. This function compares the source and destination MAC addresses in ARP packets with those in the Ethernet frame header.

    By default, MAC address consistency check in an ARP packet is disabled.

    NOTE:

    VLANIF interfaces do not support the arp validate { source-mac | destination-mac }* command. When receiving ARP packets, a VLANIF interface checks MAC address consistency based on the rule configured on the member interface.

Configuring ARP Packet Validity Check

Context

After receiving an ARP packet, the device checks validity of the ARP packet, including:
  • Packet length
  • Validity of the source and destination MAC addresses in the ARP packet
  • ARP Request type and ARP Reply type
  • MAC address length
  • IP address length
  • Whether the ARP packet is an Ethernet frame
The preceding check items are used to determine whether an ARP packet is valid. The packet with different source MAC addresses in the ARP packet and Ethernet frame header is possibly an attack packet although it is allowed by the ARP protocol.

After ARP packet validity check is enabled, the device checks the source MAC addresses in the ARP packet and Ethernet frame header, and discards the packets with inconsistent source MAC addresses.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    arp anti-attack packet-check sender-mac

    ARP packet validity check is enabled.

    By default, ARP packet validity check is disabled.

Configuring Strict ARP Learning

Context

If many users send a large number of ARP packets to a device at the same time, or attackers send bogus ARP packets to the device, the following problems occur:
  • Many CPU resources are consumed to process a large number of ARP packets. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • Bogus ARP packets modify ARP entries on the device. As a result, authorized users cannot communicate.

To avoid the preceding problems, configure the strict ARP learning function on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. In this way, the device can defend against most ARP attacks.

Strict ARP learning can be configured in globally or in the interface view.

  • If strict ARP learning is enabled globally, all interfaces on the device learn ARP entries strictly.
  • If strict ARP learning is enabled in the interface view, only the interface learns ARP entries strictly.

When strict ARP learning is enabled globally and in the interface view simultaneously, the configuration on the interface takes precedence over the global configuration.

NOTE:
When strict ARP learning is enabled globally:
  • If you run the arp learning strict force-disable command on a specified interface, strict ARP learning is forced to be disabled on the interface.
  • If you run the arp learning strict trust command on a specified interface, strict ARP learning configured globally takes effect on the interface.

Procedure

  • Configuring strict ARP learning globally
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      arp learning strict

      Strict ARP learning is enabled globally.

      By default, strict ARP learning is disabled.

  • Configuring strict ARP learning on the interface
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. Run:

      arp learning strict { force-enable | force-disable | trust }

      Strict ARP learning on the interface is enabled.

      By default, strict ARP learning is disabled on the interface.

Checking the Configuration

Procedure

  • Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit | arp-speed-limit | arpmiss-speed-limit | entry-check | packet-check | all } command to check the ARP anti-attack configuration.

  • Run the display arp learning strict command to check strict ARP learning globally and on all VLANIF interfaces.
Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 118734

Downloads: 309

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next