No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Web-based Configuration Guide

AR650, AR1600, and AR6100 V300R003

This document describes how to configure and maintain your routers using the web platform.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ARP Attack Defense

ARP Attack Defense

Context

To defend against ARP address spoofing attacks, configure ARP anti-spoofing. The mutually exclusive anti-spoofing modes fixed-mac, fixed-all, and send-ack are applicable to different scenarios:
  • fixed-mac mode: When receiving an ARP packet, the device discards the packet if its MAC address matches no ARP entry. If the MAC address in the ARP packet matches an ARP entry but the port number or VLAN ID matches no ARP entry, the device updates the port number or VLAN ID mapping the MAC address in the ARP table. This mode applies to networks that use static IP addresses and have redundant links. When services are switched on the link, port information in the ARP entry can change rapidly.
  • fixed-all mode: When the MAC address, port number, and VLAN ID of an ARP packet match an ARP entry, the device updates other information in the ARP entry. This mode applies to networks that use static IP addresses and have no redundant link, and users with the same IP address access the device using the same port.
  • send-ack mode: When receiving an ARP packet with a changed MAC address, port number, or VLAN ID, the device does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapping the original MAC address in the ARP entry, and determines whether to change the MAC address, VLAN ID, or port number in the ARP entry depending on the response from the user. This mode applies to networks that use dynamic IP addresses and have redundant links.

The device needs to process a large number of ARP packets, which increases the CPU load. The device also learns ARP entries from these packets, which causes ARP entry resources to be occupied by invalid ARP entries. As a result, the device cannot learn ARP entries from APR packets of authorized packets and communication is interrupted. The device updates ARP entries by learning bogus ARP packets, which leads to failures in communicating with authorized users. To address the problems, enable strict ARP learning.

After strict ARP learning is enabled, the device learns ARP entries only from ARP Reply packets in response to the ARP Request packets sent by itself, and does not learn ARP entries from ARP Request packets from other devices. This method prevents most attacks from ARP packets.

The device may have no sufficient CPU resources to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.

Procedure

  • Enabling ARP anti-spoofing
    1. Log in to the web platform and choose Security > Security Protection > ARP Attack Defense. The ARP Attack Defense tab page is displayed, as shown in Figure 14-43.

      Figure 14-43  ARP Attack Defense

    2. Set ARP anti-spoofing to Enabled, set Anti-spoofing mode, and click Apply. In the Information dialog box that is displayed, click OK.
  • Disabling ARP anti-spoofing
    1. Log in to the web platform and choose Security > Security Protection > ARP Attack Defense. The ARP Attack Defense tab page is displayed.
    2. Set ARP anti-spoofing to Disabled, and click Apply. In the Information dialog box that is displayed, click OK.
  • Enabling strict ARP learning
    1. Log in to the web platform and choose Security > Security Protection > ARP Attack Defense. The ARP Attack Defense tab page is displayed.
    2. Set Strict ARP learning to Enabled, and click Apply. In the Information dialog box that is displayed, click OK.
  • Disabling strict ARP learning
    1. Log in to the web platform and choose Security > Security Protection > ARP Attack Defense. The ARP Attack Defense tab page is displayed.
    2. Set Strict ARP learning to Disabled, and click Apply. In the Information dialog box that is displayed, click OK.
  • Enabling ARP packet rate limiting
    1. Log in to the web platform and choose Security > Security Protection > ARP Attack Defense. The ARP Attack Defense tab page is displayed.
    2. Set ARP packet rate limit to Enabled, enter a limit in the Rate limit (pps) text box, and click Apply. In the Information dialog box that is displayed, click OK.

      NOTE:

      By default, ARP packet rate limiting is enabled; the default rate limit is 5 pps. When Rate limit (pps) is set to 0, ARP packet rate limiting is disabled.

  • Disabling ARP packet rate limiting
    1. Log in to the web platform and choose Security > Security Protection > ARP Attack Defense. The ARP Attack Defense tab page is displayed.
    2. Set ARP packet rate limit to Disabled, and click Apply. In the Information dialog box that is displayed, click OK.
Download
Updated: 2019-04-12

Document ID: EDOC1100041803

Views: 33464

Downloads: 81

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next