No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ARP Packet Validity Check

Configuring ARP Packet Validity Check

Context

To avoid ARP attacks, you can enable ARP packet validity check on an access device or a gateway to filter out ARP packets with invalid IP addresses or MAC addresses. The device checks validity of an ARP packet based on each or any combination of the following items:

  • Source and destination IP addresses: The device checks the source and destination IP addresses in an ARP packet. If the source or destination IP address is all 0s, all 1s, or a multicast IP address, the device discards the packet as an invalid packet. The device checks both the source and destination IP addresses in an ARP Reply packet but checks only the source IP address in an ARP Request packet.

  • Source MAC address: The device compares the source MAC address in an ARP packet with that in the Ethernet frame header. If they are the same, the packet is valid. If they are different, the device discards the packet.

  • Destination MAC address: The device compares the destination MAC address in an ARP packet with that in the Ethernet frame header. If they are the same, the packet is valid. If they are different, the device discards the packet.

NOTE:

Generally, packets with different source and destination MAC addresses in the ARP packet and Ethernet frame header are allowed by the ARP protocol. When an attack occurs, capture and analyze packets. If the attack is initiated by using inconsistent source MAC addresses in the ARP packet and Ethernet frame header, enable ARP packet validity check based on the source MAC address.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run arp anti-attack packet-check { ip | dst-mac | sender-mac }*

    ARP packet validity check is enabled and check items are specified.

    By default, ARP packet validity check is disabled.

    If you run the arp anti-attack packet-check { ip | dst-mac | sender-mac } * command multiple times, all the check items specified in these commands take effect.

Translation
Download
Updated: 2019-03-28

Document ID: EDOC1000178177

Views: 220808

Downloads: 716

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next