No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring ARP Security Functions

Example for Configuring ARP Security Functions

Networking Requirements

As shown in Figure 11-9, Router connects to a server through Eth2/0/3 and connects to four users in VLAN 10 and VLAN 20 through Eth2/0/1 and Eth2/0/2. The following ARP threats exist on the network:
  • Attackers send bogus ARP packets or bogus gratuitous ARP packets to Router. ARP entries on Router are modified, leading to packet sending and receiving failures.
  • Attackers send a large number of IP packets with unresolvable destination IP addresses to Router, leading to CPU overload.
  • User1 sends a large number of ARP packets with fixed MAC addresses but variable source IP addresses to Router. As a result, ARP entries on Router are exhausted and the CPU cannot process other services.
  • User3 sends a large number of ARP packets with fixed source IP addresses to Router. As a result, the CPU of Router is insufficient to process other services.
The administrator wants to prevent the preceding ARP attacks and provide users with stable services on a secure network.
Figure 11-9  Networking for configuring ARP security functions

Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure strict ARP learning and ARP entry fixing to prevent ARP entries from being modified by bogus ARP packets.
  2. Configure rate limiting on ARP Miss messages based on source IP addresses. This function defends against attacks from ARP Miss messages triggered by a large number of IP packets with unresolvable IP addresses. At the same time, Router must have the capability to process a large number of ARP Miss packets from the server to ensure network communication.
  3. Configure ARP entry limiting and rate limiting on ARP packets based on source MAC addresses. These functions defend against ARP flood attacks caused by a large number of ARP packets with fixed MAC addresses but variable IP addresses and prevent ARP entries from being exhausted and CPU overload.
  4. Configure rate limiting on ARP packets based on source IP addresses. This function defends against ARP flood attacks from User3 with a fixed IP address and prevents CPU overload.

Procedure

  1. Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.

    # Create VLAN 10, VLAN 20, and VLAN 30, add Eth2/0/1 to VLAN 10, Eth2/0/2 to VLAN 20, and Eth2/0/3 to VLAN 30.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan batch 10 20 30
    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] port link-type trunk
    [Router-Ethernet2/0/1] port trunk allow-pass vlan 10
    [Router-Ethernet2/0/1] quit
    [Router] interface ethernet 2/0/2
    [Router-Ethernet2/0/2] port link-type trunk
    [Router-Ethernet2/0/2] port trunk allow-pass vlan 20
    [Router-Ethernet2/0/2] quit
    [Router] interface ethernet 2/0/3
    [Router-Ethernet2/0/3] port link-type trunk
    [Router-Ethernet2/0/3] port trunk allow-pass vlan 30
    [Router-Ethernet2/0/3] quit
    

    # Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.

    [Router] interface vlanif 10
    [Router-Vlanif10] ip address 10.1.1.10 24
    [Router-Vlanif10] quit
    [Router] interface vlanif 20
    [Router-Vlanif20] ip address 10.2.2.10 24
    [Router-Vlanif20] quit
    [Router] interface vlanif 30
    [Router-Vlanif30] ip address 10.3.3.10 24
    [Router-Vlanif30] quit
    

  2. Configure strict ARP learning.

    [Router] arp learning strict

  3. Configure ARP entry fixing.

    # Set the ARP entry fixing mode to fixed-mac.

    [Router] arp anti-attack entry-check fixed-mac enable

  4. Configure rate limiting on ARP Miss messages based on source IP addresses.

    # Set the maximum rate of ARP Miss messages triggered by the server with the IP address 10.3.3.1 to 40 pps, and set the maximum rate of ARP Miss messages triggered by other user hosts to 20 pps.

    [Router] arp-miss speed-limit source-ip maximum 20
    [Router] arp-miss speed-limit source-ip 10.3.3.1 maximum 40

  5. Configure interface-based ARP entry limiting.

    # Configure that Eth2/0/1 can learn a maximum of 20 dynamic ARP entries.

    [Router] interface ethernet 2/0/1
    [Router-Ethernet2/0/1] arp-limit vlan 10 maximum 20
    [Router-Ethernet2/0/1] quit
    

  6. Configure rate limiting on ARP packets based on source MAC addresses.

    # Set the maximum rate of ARP packets from User1 with the source MAC address 0001-0001-0001 to 10 pps.

    [Router] arp speed-limit source-mac 0001-0001-0001 maximum 10

  7. Configure rate limiting on ARP packets based on source IP addresses.

    # Set the maximum rate of ARP packets from User3 with the source IP address 10.2.2.1 to 10 pps.

    [Router] arp speed-limit source-ip 10.2.2.1 maximum 10

  8. Verify the configuration.

    # Run the display arp learning strict command to check the global configuration of strict ARP entry learning.

    [Router] display arp learning strict
     The global configuration:arp learning strict
     Interface                           LearningStrictState
    ------------------------------------------------------------
    ------------------------------------------------------------
     Total:0
     Force-enable:0
     Force-disable:0 

    # Run the display arp-limit command to check the maximum number of ARP entries that the interface can dynamically learn.

    [Router] display arp-limit interface ethernet 2/0/1
     Interface                      LimitNum   VlanID     LearnedNum(Mainboard)
    ---------------------------------------------------------------------------
     Ethernet2/0/1                   20         10         0
    ---------------------------------------------------------------------------
     Total:1 

    # Run the display arp anti-attack configuration all command to check the configuration of ARP anti-attack.

    [Router] display arp anti-attack configuration all
    
     ARP anti-attack packet-check function: disable                                 
                                                                                    
     ARP anti-attack entry-check mode: fixed-mac                                    
                                                                                    
     ARP gateway-duplicate anti-attack function: disabled                           
                                                                                    
     ARP rate-limit configuration:                                                  
    ------------------------------------------------------------------------------- 
     Global configuration:                                                          
     Interface configuration:                                                       
    ------------------------------------------------------------------------------- 
                                                                                    
     ARP miss rate-limit configuration:                                             
    ------------------------------------------------------------------------------- 
     Global configuration:                                                          
    ------------------------------------------------------------------------------- 
                                                                                    
     ARP speed-limit for source-MAC configuration:                                  
     MAC-address         suppress-rate(pps)(rate=0 means function disabled)         
    ------------------------------------------------------------------------------- 
     0001-0001-0001   10                                                         
     Others              0                                                          
    ------------------------------------------------------------------------------- 
     1 specified MAC addresses are configured, spec is 256 items.                   
                                                                                    
     ARP speed-limit for source-IP configuration:                                   
     IP-address          suppress-rate(pps)(rate=0 means function disabled)         
    ------------------------------------------------------------------------------- 
     10.2.2.1          10                                                         
     Others              5                                                          
    ------------------------------------------------------------------------------- 
     1 specified IP addresses are configured, spec is 256 items.                    
                                                                                    
     ARP miss speed-limit for source-IP configuration:                              
     IP-address          suppress-rate(pps)(rate=0 means function disabled)         
    ------------------------------------------------------------------------------- 
     10.3.3.1          40                                                          
     Others              20                                                         
    ------------------------------------------------------------------------------- 
     1 specified IP addresses are configured, spec is 256 items.                    

    # Run the display arp packet statistics command to check statistics on ARP-based packets.

    [Router] display arp packet statistics
    ARP Pkt Received:   sum   8678904                                                  
    ARP Learnt Count:   sum     37                                                  
    ARP Pkt Discard For Limit:   sum      146                                       
    ARP Pkt Discard For SpeedLimit:   sum      40529                                    
    ARP Pkt Discard For Proxy Suppress:   sum    0                                
    ARP Pkt Discard For Other:   sum   8367601                   

    In the preceding command output, the number of ARP packets discarded by Router is displayed, indicating that the ARP security functions have taken effect.

Configuration File

Configuration files on Router

#                                                                               
 sysname Router
#
vlan batch 10 20 30
#
arp-miss speed-limit source-ip maximum 20                                       
#
arp learning strict
#                                                                               
arp-miss speed-limit source-ip 10.3.3.1 maximum 40                            
arp speed-limit source-ip 10.2.2.1 maximum 10                                    
arp speed-limit source-mac 0001-0001-0001 maximum 10 
arp anti-attack entry-check fixed-mac enable                                    
#
interface Vlanif10                                                             
 ip address 10.1.1.10 255.255.255.0                                                 
#                    
interface Vlanif20                                                             
 ip address 10.2.2.10 255.255.255.0                                                 
#
interface Vlanif30                                                             
 ip address 10.3.3.10 255.255.255.0                                                 
#
interface Ethernet2/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                  
 arp-limit vlan 10 maximum 20
#
interface Ethernet2/0/2
 port link-type trunk                                                           
 port trunk allow-pass vlan 20                                                  
#
interface Ethernet2/0/3
 port link-type trunk                                                           
 port trunk allow-pass vlan 30                                                  
#
return
Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100034077

Views: 125496

Downloads: 230

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next