No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring DAI

Configuring DAI

Context

Configuring DAI on an access device can prevent MITM attacks and theft on authorized users' information. After DAI is configured, the device compares the source IP address, source MAC address, VLAN ID, and interface number in the received ARP packet with binding entries. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. If the ARP packet does not match a binding entry, the device considers the ARP packet invalid and discards the packet.

You can enable DAI in the interface view or the VLAN view. When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries. When DAI is enabled in the VLAN view, the device checks the ARP packets received on all interfaces belonging to the VLAN against binding entries.

If you want to receive an alarm when a large number of ARP packets are generated, enable the alarm function for the ARP packets discarded by DAI. After the alarm function is enabled, the device will generate an alarm when the number of discarded ARP packets exceeds a specified threshold.

NOTE:

When ARP learning triggered by DHCP is enabled on the gateway, DAI can be enabled on the gateway.

This function is available only for DHCP snooping scenarios. The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user uses a static IP address, you need to manually configure a static binding entry for the user. For details about the DHCP snooping configuration, see DHCP Snooping Configuration. For details on how to configure a static binding entry, see Configuring IPSG Based on a Static Binding Table.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number or,vlan vlan-id

    The interface view or VLAN view is displayed.

  3. Run arp anti-attack check user-bind enable

    DAI is enabled.

    By default, DAI is disabled.

  4. (Optional) In the interface view, run arp anti-attack check user-bind check-item { ip-address | mac-address | vlan } *

    or in the VLAN view, run arp anti-attack check user-bind check-item { ip-address | mac-address | interface } *

    Items for checking ARP packets based on binding entries are configured.

    By default, the check items consist of IP address, MAC address, VLAN ID, and interface number.

    To allow some special ARP packets that match only one or two items in binding entries to pass through, configure the device to check ARP packets according to one or two specified items in binding entries.

    NOTE:

    The IP addresses in binding entries can be IPv4 or IPv6 addresses. When the device compares IP addresses in ARP packets with binding entries, both IPv4 and IPv6 addresses are checked.

    Items for checking ARP packets based on binding entries do not take effect on user hosts that are configured with static binding entries. These hosts check ARP packets based on all items in static binding entries.

  5. (Optional) In the interface view, run arp anti-attack check user-bind alarm enable

    The alarm function for ARP packets discarded by DAI is enabled.

    By default, the alarm function for ARP packets discarded by DAI is disabled.

    NOTE:

    This type of alarm is generated for the ARP packets discarded by DAI on interfaces. Do not run the arp anti-attack check user-bind enable command in a VLAN and the arp anti-attack check user-bind alarm enable command on an interface in this VLAN at the same time. Otherwise, the actual number of discarded ARP packets in the VLAN is different from the number of discarded packets on the interface.

  6. (Optional) In the interface view, run arp anti-attack check user-bind alarm threshold threshold

    The alarm threshold of ARP packets discarded by DAI is set.

    By default, the threshold on an interface is consistent with the threshold set by the arp anti-attack check user-bind alarm threshold threshold command in the system view. If the alarm threshold is not set in the system view, the default threshold on the interface is 100.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 126688

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next