No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Can the Device Be Deployed with the ARP Anti-Attack Function?

Can the Device Be Deployed with the ARP Anti-Attack Function?

Table 7-6 and Table 7-7 describe the ARP anti-attack function that can be deployed on the device and provides the deployment position.

Table 7-6  Flood attack defense

ARP Anti-Attack Function

Function Description

Deployment Position

Rate limit on ARP packets

Based on source MAC addresses

Limits the rate of ARP packets, ensuring that the device has sufficient CPU resources to process other services when receiving a large number of ARP packets.

You are advised to enable this function on the gateway.

NOTE:

When an access device is enabled with MAC-Forced Forwarding (MFF), the MFF module may forward too many ARP packets with the destination IP address different from the IP address of the interface receiving these packets, which leads to CPU overload. To resolve this problem, limit the rate of ARP packets globally, in a VLAN, or on an interface.

Based on source IP addresses

Globally, in a VLAN, and on an interface

Rate limit on ARP Miss messages

Based on source IP addresses

Limits the rate of ARP Miss messages to defend against attacks from a large number of IP packets with unresolvable destination IP addresses.

You are advised to enable this function on the gateway.

Globally, in a VLAN, and on an interface

ARP reply optimization

This function improves the stack's capability of defending against ARP flood attacks. After ARP reply optimization is configured, the standby/slave switch directly returns an ARP Reply packet when receiving an ARP Request packet of which the destination IP address is the local interface address.

You are advised to configure this function on the stack that is used as the gateway.

Strict ARP learning

Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents ARP entries from being exhausted by invalid ARP packets.

You are advised to enable this function on the gateway.

ARP entry limitation

Limits the maximum number of dynamic ARP entries that can be learned by the device, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

You are advised to enable this function on the gateway.

Disabling ARP learning on interfaces

Disables an interface from learning ARP entries, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

You are advised to enable this function on the gateway.

Table 7-7  Spoofing attack defense

ARP Anti-Attack Function

Function Description

Deployment Position

Fixed ARP

After the device with this function enabled learns an ARP entry for the first time, it does not modify the ARP entry, but only updates part of the entry, or sends an ARP Request packet to check validity of the ARP packet for updating the entry.

The device supports three ARP entry fixing modes: fixed-all, fixed-mac, and send-ack.

You are advised to enable this function on the gateway.

Dynamic ARP inspection

Allows a device to compare the source IP address, source MAC address, interface number, and VLAN ID of an ARP packet with DHCP snooping binding entries. If an entry is matched, the device considers the ARP packet valid and allows the packet to pass through. If no entry is matched, the device considers the ARP packet invalid and discards the packet.

This function is available only for DHCP snooping scenarios.

You are advised to enable this function on an access device.

NOTE:

When ARP learning triggered by DHCP is enabled on the gateway, this function can be enabled on the gateway.

ARP gateway anti-collision

Prevents gateway ARP entries on hosts from being modified by attackers using bogus gateway IP addresses.

You are advised to enable this function on the gateway.

Gratuitous ARP packet sending

Allows the device used as the gateway to periodically send ARP Request packets whose destination IP address is the device IP address to update the gateway MAC address in ARP entries. This function ensures that packets of authorized users are forwarded to the gateway and prevents hackers from intercepting these packets.

You are advised to enable this function on the gateway.

MAC address consistency check in an ARP packet

Defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header.

You are advised to enable this function on the gateway.

ARP packet validity check

Allows the device to filter out packets with invalid MAC addresses or IP addresses. The device checks ARP packets based on the source MAC address, destination MAC address, or IP address.

You are advised to enable this function on the gateway or an access device.

Strict ARP learning

Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents the device from incorrectly updating ARP entries for the received bogus ARP packets.

You are advised to enable this function on the gateway.

ARP learning triggered by DHCP

Allows the device to generate ARP entries based on received DHCP ACK packets. When there are a large number of DHCP users, the device needs to learn many ARP entries and age them, affecting device performance. This function prevents this problem.

You can also deploy DAI to prevent ARP entries of DHCP users from being modified maliciously.

You are advised to enable this function on the gateway.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178177

Views: 234655

Downloads: 756

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next