No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Strict ARP Learning

Strict ARP Learning

Background

As network scales expand, more attacks occur, launched by sending Address Resolution Protocol (ARP) request and reply packets, and normal network services cannot be processed.
  • After receiving a large number of ARP request packets in a short period, a gateway device may become abnormal because of its limited processing capability. As a result, network communication is affected.
  • After receiving bogus ARP packets from network attackers, a gateway device updates ARP entries based on the MAC address carried in the bogus ARP packets. As a result, the communication between authorized users is interrupted.

These problems can be solved by configuring strict ARP learning. A device that has strict ARP learning configured learns only address information carried in the ARP reply packets in response to the ARP request packets that the device itself sends.

Implementation

Figure 3-2 shows how strict ARP learning is implemented.
Figure 3-2 Strict ARP learning

The provider edge (PE) sends an ARP request packet to request the MAC address of host A, and the attacker sends an ARP request packet to request the MAC address of the PE on the network shown in Figure 3-2. If strict ARP learning is not configured on the PE, the PE learns the address information carried in both the ARP reply packet sent by host A and the ARP request packet sent by the attacker.

If strict ARP learning is configured on the PE, the PE learns only address information carried in the ARP reply packet sent by host A in response to the PE's ARP request packet. The PE only responds to the ARP request packet from the attacker but does not learn or update ARP entries.

Usage Scenario

Strict ARP learning is deployed on access and aggregation devices.

Benefits

Strict ARP learning protects devices from attacks by ARP request packets and ARP reply packets that are not in response to the ARP request packets that the device itself sends. Therefore, network communication security and reliability are improved.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12750

Downloads: 31

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next