No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Anti-ARP Spoofing

Configuring Anti-ARP Spoofing

You can configure ARP packet filtering, validity check of ARP packets, and check the Destination IP Addresses of ARP Packets. These anti-ARP spoofing mechanisms improve network security and stability.

Usage Scenario

Attackers send fake ARP packets to modify ARP entries on gateways or valid hosts. As a result, valid ARP packets cannot be transmitted. To protect against ARP spoofing attacks, configure the following anti-ARP spoofing functions.

  • Checking validity of ARP packets: After receiving an ARP packet, the device checks whether the source and destination MAC addresses in the Ethernet header match those in the Data field of the packet. If they match, the device considers the packet valid and allows it to pass. If they do not match, the device considers the packet an attack packet and discards it.
  • Filtering ARP Packets: The system filters out ARP packets, including invalid ARP packets, gratuitous ARP packets, and ARP packets with non-null destination MAC addresses. Invalid ARP packets are ARP request packets whose destination MAC address is a unicast address, ARP request packets whose source MAC address is not a unicast address and ARP response packets whose destination MAC address is not a unicast address.
  • Checking the Destination IP Addresses of ARP Packets: The system checks the destination addresses of ARP packets, therefore discarding packets with incorrect destination addresses and enhancing CPU protection.

Pre-configuration Tasks

Before configuring anti-ARP spoofing, complete the following tasks:
  • Configure the physical parameters for the interface and ensure that the physical layer status of the interface is Up.
  • Configure the link layer parameters for the interface and ensure that the link layer protocol status of the interface is Up.
  • Enabling DHCP Snooping.

Configuration Procedures

Perform one or more of the following configurations.

Figure 3-1 Flowchart for configuring anti-ARP spoofing

Validity Check of ARP Packets

After validity check of Address Resolution Protocol (ARP) packets is enabled, when receiving an ARP packet, the device checks whether the source and destination MAC addresses in the Ethernet header match those in the Data field of the packet.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run arp validate { destination-mac source-mac | source-mac destination-mac }

    Validity check of ARP packets is enabled.

  4. Run commit

    The configuration is committed.

Filtering ARP Packets

This section describes how to filter out ARP packets, including invalid ARP packets, gratuitous ARP packets, and ARP packets with non-null destination MAC addresses.

Context

Perform the following on the router to filter out ARP packets on its interfaces:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number [sub-interface-number]

    The interface view is displayed.

  3. Run arp filter { gratuitous | mac-illegal | tha-filled-request }

    The interface is configured to filter out invalid ARP packets.

    NOTE:
    You can decide which types of ARP packets are to be filtered out according to actual situations. The NE20E can filter out the following ARP packets:
    • Invalid ARP packets
    • Gratuitous ARP packets
    • ARP packets whose destination MAC addresses are not null

  4. Run commit

    The configuration is committed.

Checking the Destination IP Addresses of ARP Packets

This section describes how to check the destination addresses of ARP packets, therefore discarding packets with incorrect destination addresses and enhancing CPU protection.

Context

Perform the following steps on the router whose ARP entries are to be prevented from being attacked:

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run arp check-destination-ip enable

    The check of the destination IP address of ARP packets is enabled.

    The arp check-destination-ip enable command is used to protect the CPU. After the command is run, the system checks whether the destination IP addresses of the packets on the interface are correct. If the IP addresses are correct, packets are sent to the CPU; otherwise, packets are discarded.

  4. Run commit

    The configuration is committed.

Verifying the Anti-ARP Spoofing Configuration

Check the configurations of Address Resolution Protocol (ARP) anti-spoofing functions.

Prerequisites

All ARP anti-spoofing functions are configured.

Procedure

  • Run the display arp packet statistics command to display statistics about Address Resolution Protocol (ARP) packets.
  • Run the display arp-check { check-destination-ip | check-valid } statistics slot slot-id command to display statistics about discarded invalid ARP packets on a specific interface board.

Example

Run the display arp packet statistics command to display statistics about Address Resolution Protocol (ARP) packets.
ARP Pkt Received:   sum  69278
ARP-Miss Msg Received:   sum      0
ARP Learnt Count:   sum      0
ARP Pkt Discard For Limit:   sum      0
ARP Pkt Discard For SpeedLimit:   sum      0
ARP Pkt Discard For Proxy Suppress:   sum      0
ARP Pkt Discard For Other:   sum  69278
ARP-Miss Msg Discard For SpeedLimit:   sum      0
ARP-Miss Msg Discard For Other:   sum      0
ARP Pkt Send Total:   sum    304
ARP Pkt Send Request:   sum    304
ARP Pkt Send Reply:   sum      0
ARP Pkt Send Gratuitous ARP:   sum    304
Run the display arp-check { check-destination-ip | check-valid } statistics slot slot-id command to display statistics about discarded invalid ARP packets on a specific interface board.
<HUAWEI> display arp-check check-destination-ip statistics slot 1
slot              Attack-Type   Total-Packets  Passed-Packets Dropped-Packets
---------------------------------------------------------------
1        check-destination-ip               0               0               0
---------------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 19533

Downloads: 39

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next