No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Anti-ARP Flooding

Configuring Anti-ARP Flooding

Address Resolution Protocol (ARP) anti-flooding functions include strict ARP learning, ARP entry limit, ARP packet rate limit. These functions relieve CPU load and prevent an ARP entry overflow, ensuring normal network operation.

Usage Scenario

Attackers forge and send to a device excessive ARP request packets and gratuitous ARP packets with IP addresses that cannot be mapped to media access control (MAC) addresses. As a result, the device's ARP buffer overflows, and the device is incapable of caching valid ARP entries. Valid ARP packets cannot be transmitted.

  • Strict ARP learning: The device learns the MAC addresses of only the ARP reply packets in response to the ARP request packets sent by itself. This prevents attacks that send ARP request packets and ARP reply packets that are not in response to the request packets that the device itself sends.
  • ARP entry limit: The device limits the number of ARP entries that an interface can learn to prevent ARP entry overflow and improve ARP entry security.
  • ARP packet rate limit: The device counts the number of received ARP packets. If the number of ARP packets received in a specified period exceeds a specified limit, the device does not process additional ARP packets. This function prevents ARP entry overflow.

Pre-configuration Tasks

Before configuring anti-ARP flooding, complete the following tasks:
  • Configure the physical parameters for the interface and ensure that the physical layer status of the interface is Up.
  • Configure the link layer parameters for the interface and ensure that the link layer protocol status of the interface is Up.

Configuration Procedures

Perform one or more of the following mandatory configurations based on the application environment.

Figure 3-2 Flowchart for configuring anti-ARP flooding

Restricting Dynamic ARP Entry Learning

When a large number of ARP entries are generated on a specified interface, you can prevent the interface to dynamically learn ARP entries.

Background Information

  • If dynamic ARP entry learning is disabled on an interface, traffic forwarding may fail on this interface.

  • After dynamic ARP entry learning is disabled on an interface, the system will not automatically delete the ARP entries that were learnt previously on this interface. You can delete or retain these dynamic ARP entries as required.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run arp learning disable

    Dynamic ARP entry learning is disabled on the interface.

  4. Run commit

    The configuration is committed.

Strict ARP Learning

Strict Address Resolution Protocol (ARP) learning enabled allows the device to learn the media access control (MAC) addresses of only the ARP reply packets in response to the ARP request packets sent by itself. Therefore, this function prevents attacks caused by sending ARP request packets and ARP reply packets that are not in response to the request packets that the device itself sends.

Background Information

This function can be configured in the system view or interface view.

  • If strict ARP learning is not configured, the device processes ARP entries as follows:
    • After receiving an ARP reply packet in response to the ARP request packet that the device itself sends, the device check whether the source IP address in the packet matches an ARP entry.

      • If no matching entry exists, the device creates an ARP entry using source IP and MAC addresses carried in the packet.

      • If a matching entry exists, the device updates the entry based on the source IP and MAC addresses carried in the packet.

    • After receiving an ARP request packet, the device sends an ARP reply packet and then creates an ARP entry.

  • If strict ARP learning is configured, the device processes ARP packets as follows:
    • After receiving an ARP reply packet, the device checks whether the packet is in response to an ARP request packets sent by itself. If so, the device creates an ARP entry or updates the existing ARP entry based on the packet. If not, the device does not create an ARP entry or update the existing ARP entry.

    • After receiving an ARP request packet, the device sends an ARP reply packet but does not create an ARP entry or update the existing ARP entry.

Procedure

  • Enable strict ARP learning globally.
    1. Run system-view

      The system view is displayed.

    2. Run arp learning strict

      Strict ARP learning is enabled globally.

    3. Run commit

      The configuration is committed.

  • Enable strict ARP learning for an interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run arp learning strict force-enable

      Strict ARP learning is enabled for the interface.

    4. Run commit

      The configuration is committed.

    NOTE:
    • By default, after strict ARP learning is enabled globally, strict ARP learning is enabled on all interfaces.
    • When strict ARP learning is enabled globally:
      • You can run the arp learning strict force-disable command in the interface view to disable strict ARP learning for the specified interface.
      • You can run the arp learning strict trust command to configure the specified interface to use the global strict ARP learning configuration.

ARP Entry Limit

After Address Resolution Protocol (ARP) entry limit is enabled, the device limits the number of ARP entries that an interface can learn, to prevent ARP entry overflow and improve ARP entry security.

Background Information

If a device receives excessive ARP packets in a short period, the device's buffer will overflow, interrupting services of authorized users. This problem can be solved by configuring an ARP entry limit on the device. After ARP entry limit is configured, the device limits the number of ARP entries that each interface can learn, preventing ARP entry overflow and improving ARP entry security.

  • Ethernet, GE, and Eth-Trunk interfaces can be Layer 2 or Layer 3 interfaces. vlan-id cannot be configured for Layer 3 interfaces, but must be configured for Layer 2 interfaces.

  • Ethernet, GE, and Eth-Trunk sub-interfaces can be common sub-interfaces or QinQ termination sub-interfaces. When the sub-interfaces are common sub-interfaces, vlan-id cannot be configured for common sub-interfaces, but must be configured for QinQ termination sub-interfaces. vlan-id indicates the outer virtual local area network (VLAN) ID of a QinQ termination sub-interface.

Procedure

  • Configure ARP entry limit for a physical interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The physical interface view is displayed.

    3. Run arp-limit [ vlan vlan-id1 [ to vlan-id2 ] ] maximum maximum

      ARP entry limit is configured for the physical interface.

    4. Run commit

      The configuration is committed.

  • Configure ARP entry limit for a VLANIF interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface vlanif interface-number

      The VLANIF interface view is displayed.

    3. Run arp-limit maximum maximum

      ARP entry limit is configured for a VLANIF interface.

    4. Run commit

      The configuration is committed.

  • Configure ARP entry limit for a sub-interface.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number [.subnumber ]

      The sub-interface view is displayed.

    3. Run arp-limit [ vlan vlan-id1 [ to vlan-id2 ] ] maximum maximum

      ARP entry limit is configured for the physical interface.

    4. Run commit

      The configuration is committed.

Configuring an ARP Packet Rate Limit

If a device receives excessive Address Resolution Protocol (ARP) packets in a short period, the device becomes busy learning entries and replying to the ARP packets, which can interrupt the processing of other services. To resolve this problem, configure an ARP packet rate limit on the device.

Context

The device has no sufficient CPU resource to process other services when processing a large number of ARP packets. To protect CPU resources of the device, limit the rate of ARP packets.

After a rate limit is configured for ARP packets, if the number of ARP packets received in one second exceeds the limit, the device discards the excess ARP packets.

Procedure

  • Configure ARP packet rate limit based on user addresses.
    1. Run system-view

      The system view is displayed.

    2. Run arp speed-limit { destination-ip | source-ip } maximum maximum [ slot slot-id ]

      ARP packet rate limit based on user addresses is configured.

    3. Run commit

      The configuration is committed.

Configuring an ARP Miss Message Rate Limit

If a device generates a large number of ARP Miss messages in a specified period of time, the device will not process the ARP Miss messages exceeding a configured threshold.

Background Information

After the ARP Miss message rate limit is configured, the device counts the number of received ARP Miss messages. If the number of ARP Miss messages received in a specified period exceeds a specified limit, the device does not process additional ARP Miss messages.

Procedure

  • Configure ARP Miss message rate limit based on source IP addresses.
    1. Run system-view

      The system view is displayed.

    2. Run arp-miss speed-limit source-ip maximum maximum [ slot slot-id ]

      ARP Miss message rate limit based on source IP addresses is configured.

    3. Run commit

      The configuration is committed.

  • (Optional) Setting the Aging Time of Dynamic Fake ARP Entries.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run arp-fake expire-time expire-time

      The aging time of dynamic fake ARP entries is set.

(Optional) Enabling the Device to Record Logs and Generate Alarms About Potential Attacks

To locate and resolve potential attacks, you can enable the device to record logs and generate alarms about potential attacks.

Background Information

After Address Resolution Protocol (ARP) Miss message rate limit is configured, the device counts the number of received ARP Miss messages. If the number of ARP Miss messages received in a specified period exceeds a specified limit, the device discards additional ARP Miss messages. The device considers this problem as a potential attack. The device records logs and generates alarms about potential attacks.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run arp anti-attack log-trap-timer timer

    The device is enabled to record logs and generate alarms about potential attacks.

  3. Run commit

    The configuration is committed.

Verifying the Anti-ARP Flooding Configuration

This section describes how to check the configurations of Address Resolution Protocol (ARP) anti-flood functions.

Prerequisites

All ARP anti-flooding functions have been configured.

Procedure

  • Run the display arp learning strict command to check the configuration of strict ARP learning.
  • Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to check the configuration of ARP entry limit.
  • Run the display arp speed-limit { destination-ip | source-ip } [ slot slot-id ] command to check the configuration of ARP packet rate limit.
  • Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to check the configuration of ARP Miss message rate limit.
  • Run the display arp-safeguard statistics slot slot-id command to check ARP bidirectional isolation statistics on an interface board.
  • Run the display arp rate-limit interface interface-type interface-number command to check the ARP packet rate limit on an interface.
  • Run the display arp attack interface interface-type interface-number command to check ARP attack information on an interface.
  • Run the display arp attack slot { slot-id | all } command to check ARP attack information on an interface board.

Example

Run the display arp learning strict command to view the configuration of strict ARP learning.

<HUAWEI> display arp learning strict
 The global configuration:
------------------------------------------------------------
 Interface                           LearningStrictState
------------------------------------------------------------
 GigabitEthernet0/1/1                force-enable
 GigabitEthernet0/1/2                force-disable
------------------------------------------------------------
 Total:2
 Force-enable:1
 Force-disable:1
Run the display arp-limit [ interface interface-type interface-number ] [ vlan vlan-id ] command to view the configuration of ARP entry limit.
<HUAWEI> display arp-limit
Interface               LimitNum        VlanID          LearnedNum
---------------------------------------------------------------------------
 Eth-Trunk0              100             0                  5
 GigabitEthernet0/3/1         500             0                  20
 GigabitEthernet0/3/2         300             0                  50
 GigabitEthernet0/1/9         500             0                  0
---------------------------------------------------------------------------
Total:4
Run the display arp speed-limit { destination-ip | source-ip } [ slot slot-id ] command to view the configuration of ARP packet rate limit.
<HUAWEI> display arp speed-limit destination-ip slot 1
Slot     SuppressType   SuppressValue
 ---------------------------------------------------
 1        ARP            500
Run the display arp-miss speed-limit source-ip [ slot slot-id ] command to view the configuration of ARP Miss message rate limit.
<HUAWEI> display arp-miss speed-limit source-ip slot 3
Slot     SuppressType   SuppressValue
 ---------------------------------------------------
 30        ARP-miss       500

Run the display arp-safeguard statistics slot slot-id command to view ARP bidirectional isolation statistics on an interface board. For example:

<HUAWEI> display arp-safeguard statistics slot 1
ArpRequest-Count : 23
ArpReply-Count   : 23
ArpToCp-Count    : 23
ArpDrop-Count    : 23
Run the display arp rate-limit interface interface-type interface-number command to view the ARP packet rate limit of an interface. For example:
<HUAWEI> display arp rate-limit interface gigabitethernet 0/1/0
 Interface: GigabitEthernet0/1/0
arp rate-limit: 20(default-value)
Run the display arp attack interface interface-type interface-number command to view ARP attack information on an interface. For example:
<HUAWEI> display arp attack interface gigabitethernet 0/1/0
The number of ARP attacks is 30. 
-------------------------------------- 
No.1 
Interface Name : GigabitEthernet0/1/0 
Logic interface: GigabitEthernet0/1/0.1 
Vlan-id : 1 
EnableArpCar : 1 (1:Enable 0:Disable) 
Passed : 1714688 Bytes 
12608 Packets 
Dropped : 2456738272 Bytes 
18064252 Packets 

Defend Start Time : 2017-01-11 11:05 
Defend End Time : -- 
-------------------------------------- 
......
--------------------------------------                                          
No.30                                                                           
Interface Name : GigabitEthernet0/1/0                                           
Logic interface: GigabitEthernet0/1/0.1                                         
Vlan-id        : 1                                                              
EnableArpCar   : 1 (1:Enable 0:Disable)                                         
Passed         : 6300356 Bytes                                                  
                 46312 Packets                                                  
Dropped        : 9042546988 Bytes                                               
                 66470246 Packets                                               
                                                                                
Defend  Start Time  : 2017-01-11 11:05                                          
Defend  End   Time  : --                                                        
--------------------------------------   
Run the display arp attack slot all command to view information about all ARP attacked interface boards. For example:
<HUAWEI> display arp attack slot all
Port name:    GigabitEthernet0/1/0  
QINQ sub-interface:  GigabitEthernet0/1/0.1  
ctrl-vlanid: 1   
EnableArpCar: 1  (1:enable  0:disable)  
Passed:   3289152 Bytes 
             51393 Packets  
Dropped:  186973696 Bytes
              2921464 Packets
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19595

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next