No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ARP Security Solutions

ARP Security Solutions

You need to select a proper ARP security solution depending on the attack type and symptoms, as described in Table 7-1 and Table 7-2.

Table 7-1  ARP security solutions to ARP flood attacks

Symptom

Identification

Anti-Attack Function

Function Description

Deployment

  • Network access speed is slow, users are disconnected, network access is frequently interrupted, users cannot access the network, or services are interrupted.
  • The device fails to learn some ARP entries because of a high CPU usage or is disconnected from the NMS, the attached devices are disconnected from the network, the device frequently alternates between master and slave states, or its interface indicators blink fast red.
  • Ping responses are delayed, packets are lost, or the ping operation fails.
  • A large number of ARP packets are discarded (according to the display cpu-defend statistics packet-type { arp-request | arp-reply } all command output).

  • There are logs or alarms indicating that the rate of ARP packets exceeds the upper limit on the device.

Rate limit on ARP packets

Limits the rate of ARP packets, ensuring that the device has sufficient CPU resources to process other services when receiving a large number of ARP packets.

You are advised to enable this function on the gateway.

NOTE:

When an access device is enabled with MAC-Forced Forwarding (MFF), the MFF module may forward too many ARP packets with the destination IP addresses that are different from the IP address of the interface receiving these packets, which leads to CPU overload. To resolve this problem, limit the rate of ARP packets globally, in a VLAN, or on an interface.

  • A large number of ARP packets are discarded (according to the display cpu-defend statistics packet-type arp-miss all command output).

  • The device generates a log or an alarm indicating that the rate of ARP Miss messages exceeds the upper limit.

Rate limit on ARP Miss messages

Limits the rate of ARP Miss messages to defend against attacks from a large number of IP packets with unresolvable destination IP addresses, ensuring that the device has sufficient CPU resources to process other services.

You are advised to enable this function on the gateway.

In capturing packets, you find that the device is receiving a lot of ARP packets whose destination IP address is the device IP address.

ARP reply optimization

This function improves the stack's capability of defending against ARP flood attacks. After ARP reply optimization is configured, the standby/slave switch directly returns an ARP Reply packet when receiving an ARP Request packet of which the destination IP address is the local interface address.

You are advised to configure this function on the stack that is used as the gateway.

A large number of ARP packets are discarded (according to the display cpu-defend statistics packet-type { arp-request | arp-reply } all command output).

Strict ARP learning

Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent. This prevents ARP entries from being exhausted by invalid ARP packets.

You are advised to enable this function on the gateway.

ARP entry limitation

Limits the maximum number of dynamic ARP entries that can be learned by an interface on the device, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

You are advised to enable this function on the gateway.

Disabling ARP learning on interfaces

Disables an interface from learning ARP entries, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

You are advised to enable this function on the gateway.

Table 7-2  ARP security solutions to ARP spoofing attacks

Symptom

Identification

Anti-Attack Function

Function Description

Deployment

  • Users are disconnected, network connections are frequently interrupted, users cannot access the network, or services are interrupted.
  • Ping packets are lost, or the ping operation fails.

You run the display arp all command to find that the user ARP entries are modified.

Fixed ARP

After the device with this function enabled learns an ARP entry for the first time, it does not update or updates only part of the ARP entry, or sends a unicast ARP Request packet to validate the ARP packet for updating the entry.

This ensures that valid ARP entries will not be replaced by attackers using forged ARP packets.

The device supports three ARP entry fixing modes: fixed-all, fixed-mac, and send-ack.

You are advised to enable this function on the gateway.

  • Network access speed is low.
  • Ping responses are delayed, or packets are lost.

When checking user ARP entries, you find that the ARP entry of the peer user communicating with the local user is modified.

Dynamic ARP inspection

Allows a device to compare the source IP address, source MAC address, interface number, and VLAN ID of an ARP packet with DHCP snooping binding entries. If an entry is matched, the device considers the ARP packet valid and allows the packet to pass through. If no entry is matched, the device considers the ARP packet invalid and discards the packet.

This function is available only for DHCP snooping scenarios.

You are advised to enable this function on an access device.

NOTE:

When ARP learning triggered by DHCP is enabled on the gateway, this function can be enabled on the gateway.

  • Users are disconnected, network connections are frequently interrupted, users cannot access the network, or services are interrupted.
  • The device is disconnected from an NMS, an attached device is disconnected, or the gateway address conflicts occur.
  • Ping packets are lost, or the ping operation fails.
  • When checking user ARP entries, you find that the gateway's ARP entry is modified.

  • There are gateway conflict logs or alarms on the device.

ARP gateway anti-collision

Prevents gateway ARP entries on hosts from being modified by attackers using bogus gateway IP addresses.

You are advised to enable this function on the gateway.

  • Network access speed is slow, users are disconnected, network access is frequently interrupted, users cannot access the network, or services are interrupted.
  • Ping responses are delayed, packets are lost, or the ping operation fails.

When checking user ARP entries, you find that the ARP entries of the gateway or peer user communicating with the local user are modified.

Gratuitous ARP packet sending

Allows the device used as the gateway to periodically send ARP Request packets whose destination IP address is the device IP address to update the gateway MAC address in ARP entries. This function ensures that packets of authorized users are forwarded to the gateway and prevents hackers from intercepting these packets.

You are advised to enable this function on the gateway.

  • Network access speed is slow, users are disconnected, network access is frequently interrupted, users cannot access the network, or services are interrupted.
  • The device is disconnected from an NMS, an attached device is disconnected, or the gateway address conflicts occur.
  • Ping responses are delayed, packets are lost, or the ping operation fails.

You run the display arp all command to find that the user ARP entries are modified.

MAC address consistency check in an ARP packet

Defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header.

You are advised to enable this function on the gateway.

In capturing packets, you find that invalid packets are sent to initiate ARP spoofing attacks.

ARP packet validity check

Allows the device to filter out packets with invalid MAC addresses or IP addresses. The device checks ARP packets based on source MAC addresses, destination MAC addresses, or IP addresses.

You are advised to enable this function on the gateway or an access device.

You run the display arp all command to find that the user ARP entries are modified.

Strict ARP learning

Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent. This prevents the device from incorrectly updating ARP entries for the received bogus ARP packets.

You are advised to enable this function on the gateway.

  • Network access speed is slow, users are disconnected, network access is frequently interrupted, users cannot access the network, or services are interrupted.
  • Ping responses are delayed, packets are lost, or the ping operation fails.

When checking user ARP entries in DHCP snooping scenarios, you find that the ARP table of the peer user communicating with the local user is modified.

ARP learning triggered by DHCP

Allows the device to generate ARP entries based on received DHCP ACK packets. When many DHCP users connect to a network device, the device needs to learn and maintain many ARP entries, affecting device performance. This function prevents this problem.

You can also configure DAI to prevent ARP entries of DHCP users from being modified maliciously.

You are advised to enable this function on the gateway.

Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 231072

Downloads: 746

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next