No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Can the Device Be Deployed with the ARP Anti-Attack Function?

Can the Device Be Deployed with the ARP Anti-Attack Function?

Table 7-6 and Table 7-7 describe the ARP anti-attack function that can be deployed on the device and provides the deployment position since V200R001C00.

Table 7-6  Flood attack defense

ARP Anti-Attack Function

Function Description

Deployment Position

Rate limit on ARP packets

Limits the rate of ARP packets, ensuring that the device has sufficient CPU resources to process other services when receiving a large number of ARP packets.

You are advised to enable this function on the gateway.

NOTE:

When an access device is enabled with MAC-Forced Forwarding (MFF), the MFF module may forward too many ARP packets with the destination IP addresses that are different from the IP address of the interface receiving these packets, which leads to CPU overload. To resolve this problem, limit the rate of ARP packets globally, in a VLAN, or on an interface.

Rate limit on ARP Miss messages

Limits the rate of ARP Miss messages to defend against attacks from a large number of IP packets with unresolvable destination IP addresses.

You are advised to enable this function on the gateway.

Gratuitous ARP packet discarding

Allows the device to discard gratuitous ARP packets, ensuring that the device has sufficient CPU resources to process other services when receiving a large number of gratuitous ARP packets.

You are advised to enable this function on the gateway.

ARP reply optimization

When enabled, the LPU returns ARP Reply packets if the ARP Request packets are destined for the local interface.

Defends against ARP flood attacks and is applicable to a device with multiple LPUs configured.

You are advised to enable this function on the gateway.

Strict ARP learning

Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents ARP entries from being exhausted by invalid ARP packets.

You are advised to enable this function on the gateway.

ARP entry limitation

Limits the maximum number of dynamic ARP entries that can be learned by the device, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

You are advised to enable this function on the gateway.

Disabling ARP learning on interfaces

Disables an interface from learning ARP entries, preventing ARP entries from being exhausted when a host connected to the interface attacks the device.

You are advised to enable this function on the gateway.

Table 7-7  Spoofing attack defense

ARP Anti-Attack Function

Function Description

Deployment Position

Fixed ARP

The device supports three ARP entry fixing modes: fixed-all, fixed-mac, and send-ack.

You are advised to enable this function on the gateway.

Dynamic ARP inspection

Allows a device to compare the source IP address, source MAC address, interface number, and VLAN ID of an ARP packet with DHCP snooping binding entries. If an entry is matched, the device considers the ARP packet valid and allows the packet to pass through. If no entry is matched, the device considers the ARP packet invalid and discards the packet.

This function is available only for DHCP snooping scenarios.

You are advised to enable this function on an access device.

NOTE:

When ARP learning triggered by DHCP is enabled on the gateway, this function can be enabled on the gateway.

ARP gateway anti-collision

Prevents gateway ARP entries on hosts from being modified by attackers using bogus gateway IP addresses.

You are advised to enable this function on the gateway.

Gratuitous ARP packet discarding

Allows the device to discard gratuitous ARP packets so that the device can defend against attacks from a large number of bogus gratuitous ARP packets, preventing communication interruptions.

You are advised to enable this function on the gateway.

Gratuitous ARP packet sending

Allows the device used as the gateway to periodically send ARP Request packets whose destination IP address is the device IP address to update the gateway MAC address in ARP entries. This function ensures that packets of authorized users are forwarded to the gateway and prevents hackers from intercepting these packets.

You are advised to enable this function on the gateway.

MAC address consistency check in an ARP packet

Defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header.

You are advised to enable this function on the gateway.

ARP packet validity check

Allows the device to filter out packets with invalid MAC addresses or IP addresses. The device checks ARP packets based on the source MAC address, destination MAC address, or IP address.

You are advised to enable this function on the gateway or an access device.

Strict ARP learning

Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents the device from incorrectly updating ARP entries for the received bogus ARP packets.

You are advised to enable this function on the gateway.

ARP learning triggered by DHCP

Allows the device to generate ARP entries based on received DHCP ACK packets. When there are a large number of DHCP users, the device needs to learn many ARP entries and age them, affecting device performance. This function prevents this problem.

You can also deploy DAI to prevent ARP entries of DHCP users from being modified maliciously.

You are advised to enable this function on the gateway.

ARP proxy on a VPLS network

Prevents bogus ARP packets at the pseudo wire (PW) side from being broadcast to the attachment circuit (AC) on a VPLS network.

You are advised to enable this function on a PE.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 126193

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next