No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ARP Entry Fixing

ARP Entry Fixing

As shown in Figure 10-3, an attacker poses as UserA to send a bogus ARP packet to the gateway. The gateway then records an incorrect ARP entry for UserA. As a result, UserA cannot communicate with the gateway.

Figure 10-3 ARP gateway spoofing attack

To defend against ARP gateway spoofing attacks, configure the ARP entry fixing function on a gateway. After the gateway with this function enabled learns an ARP entry for the first time, it does not modify the ARP entry, but only updates part of the entry, or sends a unicast ARP Request packet to check the validity of the ARP packet for updating the entry.

The device supports three ARP entry fixing modes, as described in Table 10-3.

Table 10-3 ARP entry fixing modes
Mode Description
fixed-all When receiving an ARP packet, the device discards the packet if the MAC address, interface number, or VLAN ID does not match an ARP entry. This mode applies to networks where user MAC addresses and user access locations are fixed.
fixed-mac When receiving an ARP packet, the device discards the packet if the MAC address does not match the MAC address in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry. This mode applies to networks where user MAC addresses are unchanged but user access locations often change.
send-ack
When the device receives ARP packet A with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user.
  • If the device receives ARP Reply packet B within 3 seconds, and the IP address, MAC address, interface number, and VLAN ID of the ARP entry are the same as those in ARP Reply packet B, the device considers ARP packet A to be an attack packet and does not update the ARP entry.

  • If the device does not receive an ARP Reply packet within 3 seconds or the IP address, MAC address, interface number, and VLAN ID of the ARP entry are different from those in ARP Reply packet B, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address again.
    • If the device receives ARP Reply packet C within 3 seconds, and the IP address, MAC address, interface number, and VLAN ID of the ARP packet A are the same as those in ARP Reply packet C, the device considers ARP packet A to be a valid packet and updates the ARP entry based on ARP packet A.
    • If the device does not receive an ARP Reply packet within 3 seconds or the IP address, MAC address, interface number, and VLAN ID of ARP packet A are different from those in ARP Reply packet C, the device considers ARP packet A to be an attack packet and does not update the ARP entry.

This mode applies to networks where user MAC addresses and user access locations often change.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18180

Downloads: 60

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next