No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Defense Against ARP MITM Attacks (All Product Models Except AR100&AR120&AR150&AR160&AR200&AR1200)

Example for Configuring Defense Against ARP MITM Attacks (All Product Models Except AR100&AR120&AR150&AR160&AR200&AR1200)

Networking Requirements

As shown in Figure 11-10, the users of a department access the Internet through RouterA. Among the users connected to RouterA, some users obtain IP addresses through DHCP and some users are allocated static IP addresses. All users are in the same VLAN as the DHCP server. If attackers initiate MITM attacks, the data of authorized users will leak; therefore, the administrator requires that RouterA can prevent MITM attacks and record the frequency and range of MITM attacks.

Figure 11-10  Networking diagram for defending against ARP MITM attacks

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure the DHCP snooping function so that RouterA can generate the address and port binding entries for dynamic users and the binding entries can be manually configured for static users. These binding entries are used for ARP packet validity check.
  2. Enable DAI so that RouterA compares the source IP address, source MAC address, VLAN ID, and interface number of the ARP packet with binding entries and filter out invalid packets. This prevents ARP MITM attacks.
  3. Enable the alarm function for the ARP packets discarded by DAI so that RouterA collects statistics on ARP packets matching no binding entry and generates alarms when the number of discarded ARP packets exceeds the alarm threshold. The administrator learns the frequency and range of the current ARP MITM attacks based on the alarms and the number of discarded ARP packets.

Procedure

  1. Create a VLAN and add interfaces to the VLAN.

    # Create VLAN 10, and add Eth2/0/1, Eth2/0/2, Eth2/0/3, and Eth2/0/4 to VLAN 10.

    <Huawei> system-view
    [Huawei] sysname RouterA
    [RouterA] vlan batch 10
    [RouterA] interface ethernet 2/0/1
    [RouterA-Ethernet2/0/1] port link-type access
    [RouterA-Ethernet2/0/1] port default vlan 10
    [RouterA-Ethernet2/0/1] quit
    [RouterA] interface ethernet 2/0/2
    [RouterA-Ethernet2/0/2] port link-type access
    [RouterA-Ethernet2/0/2] port default vlan 10
    [RouterA-Ethernet2/0/2] quit
    [RouterA] interface ethernet 2/0/3
    [RouterA-Ethernet2/0/3] port link-type access
    [RouterA-Ethernet2/0/3] port default vlan 10
    [RouterA-Ethernet2/0/3] quit
    [RouterA] interface ethernet 2/0/4
    [RouterA-Ethernet2/0/4] port link-type trunk
    [RouterA-Ethernet2/0/4] port trunk allow-pass vlan 10
    [RouterA-Ethernet2/0/4] quit
    

  2. Configure DHCP snooping.

    # Enable DHCP snooping globally.

    [RouterA] dhcp enable
    [RouterA] dhcp snooping enable
    

    # Enable DHCP snooping in VLAN 10.

    [RouterA] vlan 10
    [RouterA-vlan10] dhcp snooping enable
    [RouterA-vlan10] quit
    

    # Configure Eth2/0/4 as a trusted interface.

    [RouterA] interface ethernet 2/0/4
    [RouterA-Ethernet2/0/4] dhcp snooping trusted
    [RouterA-Ethernet2/0/4] quit
    

  3. Configure a static binding table.

    [RouterA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface ethernet 2/0/3 vlan 10
    

  4. Enable DAI and the packet discarding alarm function.

    # Eth2/0/1 is used as an example. The configurations of Eth2/0/1, Eth2/0/2, and Eth2/0/3 are similar to the configuration of Eth2/0/1, and are not mentioned here.

    [RouterA] interface ethernet 2/0/1
    [RouterA-Ethernet2/0/1] arp anti-attack check user-bind enable
    [RouterA-Ethernet2/0/1] arp anti-attack check user-bind alarm enable
    [RouterA-Ethernet2/0/1] quit
    

  5. Verify the configuration.

    # Run the display arp anti-attack check user-bind interface command to check the DAI configuration on each interface. Eth2/0/1 is used as an example.

    [RouterA] display arp anti-attack check user-bind interface ethernet 2/0/1
     arp anti-attack check user-bind enable                                         
     arp anti-attack check user-bind alarm enable                                   
     ARP packet drop count = 966                                                      

    In the preceding command output, the number of discarded ARP packets on Eth2/0/1 is displayed, indicating that the defense against ARP MITM attacks has taken effect.

    When you run the display arp anti-attack check user-bind interface command for multiple times on each interface, the administrator can learn the frequency and range of ARP MITM attacks based on the value of ARP packet drop count.

Configuration File

Configuration file of RouterA

#
sysname RouterA
#
vlan batch 10
#
dhcp enable                                                                     
#                                                                               
dhcp snooping enable                                                            
user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface Ethernet2/0/3 vlan 10
#                                                                               
vlan 10                                                                          
 dhcp snooping enable                                              
#                                                                               
interface Ethernet2/0/1
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
#   
interface Ethernet2/0/2
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
#
interface Ethernet2/0/3
 port link-type access
 port default vlan 10
 arp anti-attack check user-bind enable
 arp anti-attack check user-bind alarm enable
#   
interface Ethernet2/0/4
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                   
 dhcp snooping trusted                                                            
#   
return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034077

Views: 112915

Downloads: 208

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next