No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S1720, S2700, S5700, and S6720 V200R011C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, MPAC, separating the management plane from the service plane, security risks, PKI.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ARP Gateway Anti-Collision

ARP Gateway Anti-Collision

As shown in Figure 7-6, attacker B forges the gateway address to send a bogus ARP packet to user A. User A considers the attacker to be the gateway. User A then records an incorrect ARP entry for the gateway. As a result, the gateway cannot receive packets from user A and their communication is interrupted.

Figure 7-6  ARP gateway collision

To prevent bogus gateway attacks, enable ARP gateway anti-collision on the gateway. The gateway considers that a gateway collision occurs when a received ARP packet meets either of the following conditions:

  • The source IP address in the ARP packet is the same as the IP address of the VLANIF interface matching the physical inbound interface of the packet.

  • The source IP address in the ARP packet is the virtual IP address of the inbound interface but the source MAC address in the ARP packet is not the virtual MAC address of the Virtual Router Redundancy Protocol (VRRP) group.

    NOTE:

    A VRRP group, also called a virtual router, serves as the default gateway for hosts on a LAN. A virtual router has a virtual MAC address that is generated based on the virtual router ID. The virtual MAC address is in the format of 00-00-5E-00-01-{VRID}(VRRP). The virtual router sends ARP Reply packets using the virtual MAC address instead of the interface MAC address.

The device generates an ARP anti-collision entry and discards the received packets with the same source MAC address and VLAN ID in a specified period. This function prevents ARP packets with the bogus gateway address from being broadcast in a VLAN.

In addition, you can enable gratuitous ARP packet sending on the device to broadcast gratuitous ARP packets to all user hosts so that the bogus ARP entries are modified. The gratuitous ARP packet is broadcast to all users so that incorrect ARP entries are corrected.

Translation
Download
Updated: 2019-09-23

Document ID: EDOC1000178177

Views: 232575

Downloads: 747

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next