No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Service

S1720, S2700, S5700, and S6720 V200R012(C00 and C20)

This document describes the configurations of IP Service, including IP address, ARP, DHCP, DHCP policy VLAN, DNS, mDNS gateway, mDNS relay, UDP Helper, IP performance optimization, IPv6, DHCPv6, IPv6 DNS, IPv6 over IPv4 tunnel, and IPv4 over IPv6 tunnel.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Can Static ARP Implement the Binding of IP Addresses and MAC Addresses?

Can Static ARP Implement the Binding of IP Addresses and MAC Addresses?

Static ARP can implement the binding of IP addresses and MAC addresses to prevent ARP entries from being updated by forged ARP packets sent by attackers. However, even if static ARP is configured, the users who change IP addresses without permission can still access external networks. To address this problem, configure IP source guard (IPSG).

Dynamic ARP inspection (DAI) and egress ARP inspection (EAI) can also implement the binding of IP addresses and MAC addresses. The application scenarios for static ARP, IPSG, DAI, and EAI are different. You can deploy these functions according to service requirements.

Static ARP

Scenario

Static ARP entries are applicable when:
  • Networks contain critical devices such as servers. In this case, static ARP entries can be configured on the switch. As such, network attackers cannot update the ARP entries containing IP addresses of the critical devices on the switch using ARP attack packets, thereby ensuring communication between users and the critical devices.
  • Networks contain user devices with multicast MAC addresses. In this case, static ARP entries can be configured on the switch. In doing so, a device, by default, does not learn ARP entries when the source MAC addresses of received ARP packets are multicast MAC addresses.
  • A network administrator wants to prevent an IP address from accessing devices. In this case, static ARP entries can be configured on the switch to bind the IP address to an unavailable MAC address.

Implementation

Static ARP entries cannot be aged or overwritten by dynamic ARP entries. You can run the arp static command to manually configure a static ARP entry, or use automatic scanning and fixed ARP entries to batch configure static ARP entries.

IPSG

Scenario

IPSG is used to prevent unauthorized users from forging IP addresses. For example, after IPSG is configured, users who change IP addresses without permission on a network are denied access to external networks.

In IP address forging scenarios, attackers use their own MAC addresses but embezzle others' IP addresses for communication to obtain the attacked user's rights or the packets that should be sent to the attacked user.

Implementation

IPSG is used to verify IP packets against dynamic or static DHCP binding tables.

When forwarding an IP packet, a device compares the source IP address, source MAC address, interface, and VLAN in the IP packet with the information in the binding table (The comparison items are configurable. For example, you can configure only the source IP address and VLAN information for comparison.)
  • If the parameters match the table information, the user is authorized, and the device forwards the IP packet.
  • If the parameters do not match the table information, the device considers that the packet an attack and discards the packet.

When configuring IPSG, you can run the user-bind static command to configure a static binding table.

DAI

Scenario

DAI is used to prevent Man in The Middle (MiTM) attacks. If DAI is not configured, ARP entries of authorized users on a device may be updated by the forged ARP packets sent by attackers.

Implementation

DAI is used to verify ARP packets against dynamic or static DHCP binding tables.

When receiving an ARP packet, a device compares the source IP address, source MAC address, interface, and VLAN in the ARP packet with the information in the binding table. (The comparison items are configurable. For example, you can configure only the source IP address and VLAN information for comparison.)
  • If the parameters match the table information, the user is authorized, and the device allows the ARP packet to pass.
  • If the parameters do not match the table information, the device considers that the packet an attack and discards the packet.

When configuring DAI, you can run the user-bind static command to configure a static binding table.

EAI

Scenario

EAI is used to avoid broadcast of ARP Request packets. It reduces the impact of ARP broadcast packets on the network and ensures normal services for users.

Implementation

EAI determines the outbound interface of an ARP Request packet according to the dynamic DHCP snooping binding table and forwards the packet through this outbound interface to prevent broadcast.

Translation
Download
Updated: 2018-12-24

Document ID: EDOC1100038342

Views: 84151

Downloads: 281

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next