No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Defense Against ARP Flood Attacks

Configuring Defense Against ARP Flood Attacks

Pre-configuration Tasks

Configuring defense against ARP flood attacks prevents ARP entries from being exhausted and CPU overload.

Before configuring defense against ARP flood attacks, connect interfaces and set physical parameters for the interfaces to ensure that the physical status of the interfaces is Up.

Configuration Procedure

Operations in the configuration procedure can be performed in any sequence.

NOTE:

When rate limit on ARP packets is configured globally or on an interface and rate limit on ARP packets based on the source MAC address or source IP address is also configured, the smallest rate is used.

When rate limit on ARP Miss messages is configured globally or on an interface and rate limit on ARP Miss messages based on the source IP address is also configured, the smallest rate is used.

Configuring Rate Limiting on ARP Packets based on Source MAC Addresses

Context

A large number of ARP packets with a fixed source MAC address and variable IP addresses will cause the CPU of a device to be overloaded and exhaust ARP entries.

To prevent this problem, configure the gateway to limit the rate of ARP packets based on MAC addresses. The gateway then collects statistics on ARP packets sent from certain MAC addresses to the CPU. If the number of ARP packets received in one second from the specified MAC address exceeds the threshold, the device discards the excess ARP packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure rate limit on ARP packets based on source MAC addresses.

    • Run arp speed-limit source-mac maximum maximum

      The maximum rate of ARP packets from any source MAC address is set

    • Run arp speed-limit source-mac mac-address maximum maximum

      The maximum rate of ARP packets from the specified source MAC address is set.

    When both the preceding commands are executed, the maximum rate set using the arp speed-limit source-mac mac-address maximum maximum command takes effect on ARP packets from the specified source MAC address, and the maximum rate set using the arp speed-limit source-mac maximum maximum command takes effect on ARP packets from other source MAC addresses.

    By default, the maximum rate of ARP packets from each source MAC address is set to 0, that is, the rate of ARP packets is not limited based on source MAC addresses.

Configuring Rate Limiting on ARP Packets based on Source IP Addresses

Context

When processing a large number of ARP packets with fixed IP addresses (for example, MAC addresses or outbound interfaces that match a source IP address frequently change), the CPU is overloaded and cannot process other services.

To prevent this problem, configure the gateway to limit the rate of ARP packets based on source IP addresses. The gateway collects statistics on ARP packets from a specified source IP address. If the number of ARP packets received in one second from the specified IP address exceeds the threshold, the device discards the excess ARP packets.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure rate limit on ARP packets based on source IP addresses.

    • Run arp speed-limit source-ip maximum maximum

      The maximum rate of ARP packets from any source IP address is set.

    • Run arp speed-limit source-ip ip-address maximum maximum

      The maximum rate of ARP packets from the specified source IP address is set.

    When both the preceding commands are executed, the maximum rate set using the arp speed-limit source-ip ip-address maximum maximum command takes effect on ARP packets from the specified source IP address, and the maximum rate set using the arp speed-limit source-ip maximum maximum command takes effect on ARP packets from other source IP addresses.

    By default, the device allows a maximum of 5 ARP packets from the same source IP address to pass through per second.

Configuring Rate Limiting on ARP Packets Globally or on an Interface

Context

When processing a large number of ARP packets, a device consumes many CPU resources and cannot process other services. To protect CPU resources of the device, limit the rate of ARP packets.

After rate limiting on ARP packets is enabled, set the maximum rate and rate limiting duration of ARP packets globally or on an interface. In the rate limiting duration, if the number of received ARP packets exceeds the limit, the device discards the excess ARP packets.
  • Limiting the rate of ARP packets globally: limits the number of ARP packets processed on the entire device.

  • Limiting the rate of ARP packets on an interface: limits the number of ARP packets processed on an interface. The configuration on an interface does not affect ARP entry learning on other interfaces.

If the maximum rate and rate limiting duration are configured in the system view and interface view at the same time, the device uses the configurations in the interface view and system view in order.

If you want the device to generate alarms to notify the network administrator of a large number of discarded excess ARP packets, enable the alarm function. When the number of discarded ARP packets exceeds the alarm threshold, the device generates an alarm.

NOTE:

If the alarm function is enabled, you need to run the arp anti-attack log-trap-timer time command to set the interval for sending alarms.

Perform the following steps on the gateway.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run interface interface-type interface-number

    The interface view is displayed.

    NOTE:

    If you configure rate limiting on ARP packets in the system view, skip the preceding step.

  3. Run arp anti-attack rate-limit enable

    Rate limiting on ARP packets is enabled.

    By default, rate limiting on ARP packets is disabled.

  4. Run arp anti-attack rate-limit packet-number [ interval-value ]

    The maximum rate and rate limiting duration for ARP packets are set.

    By default, a maximum of 100 ARP packets are allowed to pass per second.

  5. (Optional) Run arp anti-attack rate-limit alarm enable

    The alarm function for discarded ARP packets when the rate of ARP Miss packets exceeds the limit is enabled.

    By default, the alarm function for ARP packets discarded when the rate of ARP packets exceeds the limit is disabled.

  6. (Optional) Run arp anti-attack rate-limit alarm threshold threshold

    The alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is set.

    By default, the alarm threshold of ARP packets discarded when the rate of ARP packets exceeds the limit is 100.

Configuring Rate Limiting on ARP Packets on the VLANIF Interface of a Super-VLAN

Context

A VLANIF interface in a super-VLAN is triggered to learn ARP entries in the following scenarios:

  • The VLANIF interface receives IP packets that trigger ARP Miss messages.
  • The VLANIF interface is enabled with ARP proxy and receives ARP packets whose destination IP addresses meet the proxy requirements and match no ARP entry.

The VLANIF interface replicates ARP Request packets to each sub-VLAN when learning ARP entries. If a large number of sub-VLANs are configured for the super-VLAN, the device generates a large number of ARP Request packets. As a result, the CPU is busy processing ARP Request packets, and other services are affected. To prevent this problem, limit the rate of ARP packets on the VLANIF interface of a super-VLAN.

When the CPU is busy processing packets, set the maximum rate of broadcasting ARP Request packets to a small value. When the CPU is idle, set the maximum rate of broadcasting ARP Request packets to a large value. You can set the maximum rate of broadcasting ARP Request packets based on the actual network environment.

Perform the following steps on the gateway.

NOTE:

The AR500 series (except AR509G-L-D-H, AR509GW-L-D-H, AR509G-Lc) do not support Super VLAN.

The AR510 series (except AR515GW-LM9-D) do not support Super VLAN.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run arp speed-limit flood-rate rate

    The maximum rate of broadcasting ARP Request packets on VLANIF interfaces of all super-VLANs is set.

    By default, the maximum rate of broadcasting ARP Request packets on VLANIF interfaces in all super-VLANs is 1000 pps.

Configuring Rate Limiting on ARP Miss Messages based on Source IP Addresses

Context

If a user host sends a large number of IP packets with unresolvable destination IP addresses to a network device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the device for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

If the number of ARP Miss messages triggered by IP packets from a source IP address per second exceeds the limit, the device considers that an attack has been initiated from the source IP address.

The administrator can set the maximum number of ARP Miss messages that the device can process within a specified duration based on the actual network environment, protecting the system resources and ensuring proper running of other services.

Perform the following steps on the gateway.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure rate limiting on ARP Miss messages based on source IP addresses.

    • Run arp-miss speed-limit source-ip maximum maximum

      The maximum rate of ARP Miss messages triggered by IP packets from any source IP address is set.

    • Run arp-miss speed-limit source-ip ip-address maximum maximum

      The maximum rate of ARP Miss messages triggered by IP packets from a specified source IP address is set.

    When the preceding configurations are both performed, the maximum rate set using the arp-miss speed-limit source-ip ip-address maximum maximum command takes effect on ARP Miss messages triggered IP packets from the specified source IP address, and the maximum rate set using the arp-miss speed-limit source-ip maximum maximum command takes effect on ARP Miss messages triggered by IP packets from other source IP addresses.

    If the maximum rate of ARP Miss messages is set to 0, the rate of ARP Miss messages is not limited based on source IP addresses. By default, the device accepts a maximum of 5 ARP Miss messages triggered by IP packets from the same source IP address per second.

Configuring Rate Limiting on ARP Miss Messages Globally

Context

If a user host sends a large number of IP packets with unresolvable destination IP addresses to a network device (the device has a route to the destination IP address of a packet but has no ARP entry matching the next hop of the route), the device generates a large number of ARP Miss messages. IP packets triggering ARP Miss messages are sent to the device for processing. The device generates a large number of temporary ARP entries and sends many ARP Request packets to the network, consuming a large number of CPU and bandwidth resources.

To avoid the preceding problems, it is recommended that you configure rate limit on ARP Miss messages on the gateway.

If you want that the device can generate alarms to notify the network administrator of a large number of discarded ARP Miss packets, enable the alarm function. When the number of discarded ARP Miss packets exceeds the alarm threshold, the device generates an alarm.

NOTE:

If the alarm function is enabled, you need to run the arp anti-attack log-trap-timer time command to set the interval for sending alarms.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run arp-miss anti-attack rate-limit enable

    Rate limiting on ARP Miss messages is enabled.

    By default, rate limiting on ARP Miss messages is disabled.

  3. Run arp-miss anti-attack rate-limit packet-number [ interval-value ]

    The maximum rate and rate limiting duration of ARP Miss messages are set.

    By default, the device can process a maximum of 100 ARP Miss messages per second.

  4. (Optional) Run arp-miss anti-attack rate-limit alarm enable

    The alarm function for ARP Miss packets discarded when the rate of ARP Miss packets exceeds the limit is enabled.

    By default, the alarm function is disabled.

  5. (Optional) Run arp-miss anti-attack rate-limit alarm threshold threshold

    The alarm threshold for ARP Miss packets discarded when the rate of ARP Miss packets exceeds the limit is set.

    By default, the alarm threshold is 100.

Configuring the Aging Time of Temporary ARP Entries

Context

In addition to generating ARP Miss messages, the device generates temporary ARP entries and sends ARP Request packets to the destination network.
  • In the aging time of temporary ARP entries:
    • Before receiving an ARP reply packet, the device discards the IP packets matching the temporary ARP entry and does not generate ARP Miss messages.
    • After receiving an ARP Reply packet, the device generates a correct ARP entry to replace the temporary entry.
  • When temporary ARP entries age out, the device clears them. If no ARP entry matches the IP packets forwarded by the device, ARP Miss messages and temporary ARP entries are repeatedly generated.

You can limit the rate of ARP Miss messages by setting the aging time of temporary ARP entries. When a device undergoes an ARP Miss attack, you can extend the aging time of temporary ARP entries to reduce the frequency of triggering ARP Miss messages so that the impact on the device is minimized.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

    The interface type can be Ethernet, GE, Eth-Trunk, or VLANIF.

  3. Run arp-fake expire-time expire-time

    The aging time of temporary ARP entries is set.

    By default, the aging time of temporary ARP entries is 1 second.

Configuring Strict ARP Learning

Context

If many user hosts simultaneously send a large number of ARP packets to a device, or attackers send bogus ARP packets to the device, the following problems occur:
  • Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.
  • After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with one another other.

To avoid the preceding problems, configure the strict ARP learning function on the gateway. This function allows the gateway to learn only ARP entries for ARP Reply packets in response to ARP Request packets that it has sent. In this way, the gateway can prevent most ARP attacks.

Strict ARP learning can be configured globally or in the interface view.

  • If strict ARP learning is enabled globally, all interfaces on the device learn ARP entries strictly.
  • If strict ARP learning is enabled in the interface view, only this interface learns ARP entries strictly.

When strict ARP learning is enabled globally and in the interface view simultaneously, the configuration on the interface takes precedence over the global configuration.

NOTE:
When strict ARP learning is enabled globally:
  • If you run the arp learning strict force-disable command on a specified interface, strict ARP learning is forced to be disabled on the interface.
  • If you run the arp learning strict trust command on a specified interface, strict ARP learning configured globally takes effect on the interface.

Procedure

  • Configuring strict ARP learning globally
    1. Run system-view

      The system view is displayed.

    2. Run arp learning strict

      Strict ARP learning is enabled globally.

      By default, strict ARP learning is disabled.

  • Configuring strict ARP learning on an interface
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run arp learning strict { force-enable | force-disable | trust }

      Strict ARP learning on the interface is enabled.

      By default, strict ARP learning is disabled on the interface.

Configuring Interface-based ARP Entry Limiting

Context

To prevent ARP entries from being exhausted by ARP attacks from a host connecting to an interface on the device, set the maximum number of ARP entries that the interface can dynamically learn. When the number of ARP entries learned by a specified interface reaches the maximum number, the interface cannot dynamically learn new ARP entries.

Perform the following steps on the gateway.

Procedure

  • Configuring ARP entry limiting on the Ethernet interface
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum

      ARP entry limit on the Ethernet interface is configured.

      By default, the maximum number of ARP entries that an interface can dynamically learn is the maximum value that can be configured on the interface.

      The interface type can be Ethernet, GE, , or Eth-Trunk. These interfaces can work at Layer 3 or Layer 2. When they work at Layer 3, you cannot configure the VLAN ID. When they work at Layer 2, you must configure the VLAN ID.

  • Configuring ARP entry limit on the VLANIF interface
    1. Run system-view

      The system view is displayed.

    2. Run interface vlanif interface-number

      The VLANIF interface view is displayed.

    3. Run arp-limit maximum maximum

      ARP entry limit on the VLANIF interface is configured.

      By default, the maximum number of ARP entries that an interface can dynamically learn is the maximum value that can be configured on the interface.

  • Configuring ARP entry limit on the sub-interface
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number [.subnumber ]

      The sub-interface view is displayed.

    3. Run arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum

      ARP entry limit on the sub-interface is configured.

      By default, the maximum number of ARP entries that an interface can dynamically learn is the maximum value that can be configured on the interface.

      The interface type can be Ethernet, GE, , or Eth-Trunk. These interfaces can work at Layer 3 or Layer 2. When they work at Layer 3, you cannot configure the VLAN ID. When they work at Layer 2, you must configure the VLAN ID.

Verifying the ARP Flood Attack Defense Configuration

Procedure

  • Run the display arp anti-attack configuration { arp-rate-limit | arpmiss-rate-limit | arp-speed-limit | arpmiss-speed-limit | entry-check | gateway-duplicate | packet-check | all } command to check the ARP anti-attack configuration.

  • Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to check the maximum number of ARP entries that an interface can learn.
  • Run the display arp learning strict command to check strict ARP learning globally and on all interfaces.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95611

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next