Example for Configuring ARP Security Functions

CloudEngine 12800 and 12800E V200R005C10 Configuration Guide - Security

This document describes the configurations of Security, including AAA, 802.1x Authentication, ACL, TCAM ACL Customization, local attack defense, Microsegmentation, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, MACsec, DHCP snooping, IPSG, URPF, SSL, Keychain and FIPS.

About This Document
AAA Configuration
- Overview of AAA
- Understanding AAA
- Application Scenarios for AAA
- Licensing Requirements and Limitations for AAA
- Summary of AAA Configuration Tasks
- Configuring Local Authentication and Authorization
- Configuring RADIUS AAA
- Configuring HWTACACS AAA
- Clearing AAA Statistics
- Configuration Examples for AAA
  - Example for Configuring RADIUS Authentication and Accounting
  - Example for Configuring HWTACACS Authentication, Accounting, and Authorization
- Troubleshooting AAA
  - An AAA Local User Cannot Be Created Due to Incorrect Password Setting
802.1x Authentication Configuration
- Understanding 802.1x Authentication
- Application Scenarios for 802.1x Authentication
- Licensing Requirements and Limitations for 802.1x Authentication
- Default Settings for 802.1x Authentication
- Configuring 802.1x Authentication
- Maintaining 802.1x Authentication
  - Clearing Statistics on 802.1x Authentication Packets
  - Forcing Users Offline
- Configuration Examples for 802.1x Authentication
  - Example for Configuring 802.1x Authentication to Control Users' Internal Access
ACL Configuration
- Overview of ACLs
- Understanding ACLs
- Application Scenarios for ACLs
- Licensing Requirements and Limitations for ACLs
- Default Settings for ACLs
- Configuring a Basic ACL
- Configuring an Advanced ACL
- Configuring a Layer 2 ACL
- Configuring a User-defined ACL
- Configuring an ARP-based ACL
- Configuring a Basic ACL6
- Configuring an Advanced ACL6
- Maintaining an ACL
  - Clearing ACL Statistics
  - Checking ACL Resource Usages
- Configuration Examples for ACLs
- ACL FAQ
  - Which Packets Cannot Be Filtered by the ACL Used by a Traffic Policy?
TCAM ACL Customization Configuration
- Overview of TCAM ACL Customization
- Licensing Requirements and Limitations for TCAM ACL Customization
- Configuring TCAM ACL Customization
  - Enabling TCAM ACL Customization
  - Configuring the TCAM ACL Customization Function for Services
- Displaying Information about a TCAM ACL Customization Profile or Preset Profile
- Configuration Examples for TCAM ACL Customization
  - Example for Configuring TCAM ACL Customization
Microsegmentation Configuration
- Overview of Microsegmentation
- Understanding Microsegmentation
- Application Scenarios for Microsegmentation
- Licensing Requirements and Limitations for Microsegmentation
- Configuring Microsegmentation
- Maintaining Microsegmentation
  - Checking Microsegmentation Statistics
  - Clearing Microsegmentation Statistics
- Configuration Examples for Microsegmentation
  - Example for Configuring IP Address-based Microsegmentation
Local Attack Defense Configuration
- Overview of Local Attack Defense
- Licensing Requirements and Limitations for Local Attack Defense
- Default Settings for Local Attack Defense
- Configuring CPU Attack Defense
- Configuring Attack Source Tracing
- Maintaining Local Attack Defense
- Configuration Examples for Local Attack Defense
  - Example for Configuring Local Attack Defense
- Troubleshooting Local Attack Defense
MFF Configuration
- Overview of MFF
- Understanding MFF
- Application Scenarios for MFF
- Licensing Requirements and Limitations for MFF
- Configuring MFF
- Configuration Examples for MFF
  - Example for Configuring MFF to Implement Layer 2 Isolation and Layer 3 Connection
- Troubleshooting MFF
  - Users Fail to Access the Internet After MFF Is Configured
Attack Defense Configuration
- Overview of Attack Defense
- Understanding Attack Defense
- Application Scenarios for Attack Defense
- Licensing Requirements and Limitations for Attack Defense
- Default Settings for Attack Defense
- Configuring Defense Against Malformed Packet Attacks
- Configuring Defense Against Packet Fragment Attacks
- Configuring Defense Against Flood Attacks
- Clearing Attack Defense Statistics
- Configuration Examples for Attack Defense
  - Example for Configuring Attack Defense
Traffic Suppression and Storm Control Configuration
- Overview of Traffic Suppression and Storm Control
- Understanding Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Application Scenarios for Traffic Suppression and Storm Control
  - Traffic Suppression
  - Storm Control
- Licensing Requirements and Limitations for Traffic Suppression and Storm Control
- Default Settings for Traffic Suppression and Storm Control
- Configuring Traffic Suppression
- Configuring Storm Control
- Configuration Examples for Traffic Suppression and Storm Control
  - Example for Configuring Traffic Suppression
  - Example for Configuring Storm Control
ARP Security Configuration
- Overview of ARP Security
- Understanding ARP Security
- Application Scenarios for ARP Security
  - Defense Against ARP Flood Attacks
  - Defense Against ARP Spoofing Attacks
- Licensing Requirements and Limitations for ARP Security
- Default Settings for ARP Security
- Configuring Defense Against ARP Flood Attacks
- Configuring Defense Against ARP Spoofing Attacks
- Maintaining ARP Security
- Configuration Examples for ARP Security
  - Example for Configuring ARP Security Functions
  - Example for Configuring Defense Against ARP MITM Attacks
Port Security Configuration
- Overview of Port Security
- Understanding Port Security
- Application Scenarios for Port Security
- Licensing Requirements and Limitations for Port Security
- Default Settings for Port Security
- Configuring Port Security
- Configuration Examples for Port Security
  - Example for Configuring Port Security
MACsec Configuration
- Overview of MACsec
- Understanding MACsec
- Application Scenarios for MACsec
- Default Configuration
- Licensing Requirements and Limitations for MACsec
- Configuring MACsec
- Maintaining MACsec
  - Displaying MACsec Statistics
  - Clearing MACsec Statistics
- Configuration Examples for MACsec
  - Example for Configuring Point-to-Point MACsec
DHCP Snooping Configuration
- Overview of DHCP Snooping
- Understanding DHCP Snooping
  - DHCP Snooping Fundamentals
  - Option 82 Supported by DHCP Snooping
- Application Scenarios for DHCP Snooping
- Licensing Requirements and Limitations for DHCP Snooping
- Default Settings for DHCP Snooping
- Configuring Basic Functions of DHCP Snooping
- Configuring DHCP Snooping Attack Defense
- Inserting the Option 82 Field in a DHCP Message
- Maintaining DHCP Snooping
- Configuration Examples for DHCP Snooping
  - Example for Configuring DHCP Snooping Attack Defense
- Troubleshooting DHCP Snooping
  - DHCP Clients Cannot Go Online Due to DHCP Snooping
IPSG Configuration
- Overview of IPSG
- Licensing Requirements and Limitations for IPSG
- Default Settings for IPSG
- Configuring IPSG
- Maintaining IPSG
  - Checking Statistics on Discarded IP Packets
  - Clearing Statistics on Discarded IP Packets
- Configuration Examples for IPSG
  - Example for Configuring IPSG to Check Interface + IP + MAC Binding Entries
URPF Configuration
- Overview of URPF
- Understanding URPF
- Application Scenarios for URPF
- Licensing Requirements and Limitations for URPF
- Default Settings for URPF
- Configuring URPF
- Configuration Examples for URPF
  - Example for Configuring URPF (CE12800)
  - Example for Configuring URPF (CE12800E)
SSL Configuration
- Overview of SSL
- Understanding SSL
- Application Scenarios for SSL
  - Application of SSL in Information Center
- Licensing Requirements and Limitations for SSL
- Configuring SSL
  - Configuring an SSL Policy
  - Applying an SSL Policy
- Configuration Examples for SSL
  - Example for Outputting SSL-Encrypted Logs to a Log Host
Keychain Configuration
- Overview of Keychains
- Understanding Keychains
- Application Scenarios for Keychains
- Licensing Requirements and Limitations for Keychain
- Configuring a Keychain
- Configuration Examples for Keychains
  - Example for Applying the Keychain to RIP
  - Example for Applying the Keychain to BGP
FIPS Configuration
- Overview of FIPS
- Configuring the FIPS Mode
Separating the Management Port from the Service Plane
Checking Security Risks
Setting the System Master Key

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Example for Configuring ARP Security Functions

Networking Requirements

As shown in Figure 10-8, the switch connects to a server through 10GE1/0/3 and connects to four users in VLAN 10 and VLAN 20 through 10GE1/0/1 and 10GE1/0/2. The following ARP threats exist on the network:

Attackers send bogus ARP packets or bogus gratuitous ARP packets to the switch. ARP entries on the switch are modified, leading to packet sending and receiving failures.
Attackers send a large number of IP packets with unresolvable destination IP addresses to the switch, leading to CPU overload.
User1 sends a large number of ARP packets with fixed MAC addresses but variable source IP addresses to the switch. As a result, ARP entries on the switch are exhausted and the CPU cannot process other services.
User3 sends a large number of ARP packets with fixed source IP addresses to the switch. As a result, the CPU of the switch is insufficient to process other services.

The administrator wants to prevent the preceding ARP attacks and provide users with stable services on a secure network.

Figure 10-8 Networking for configuring ARP security functions

Configuration Roadmap

The configuration roadmap is as follows:

Configure strict ARP learning and ARP entry fixing to prevent ARP entries from being modified by bogus ARP packets.
Configure gratuitous ARP packets discarding to prevent ARP entries from being modified by bogus gratuitous ARP packets.
Configure rate limiting on ARP Miss messages based on source IP addresses. This function defends against attacks from ARP Miss messages triggered by a large number of IP packets with unresolvable IP addresses. At the same time, the switch must have the capability to process a large number of ARP Miss packets from the server to ensure network communication.
Configure ARP entry limiting and rate limiting on ARP packets based on source MAC addresses. These functions defend against ARP flood attacks caused by a large number of ARP packets with fixed MAC addresses but variable IP addresses and prevent ARP entries from being exhausted and CPU overload.
Configure rate limiting on ARP packets based on source IP addresses. This function defends against ARP flood attacks from User3 with a fixed IP address and prevents CPU overload.

Procedure

Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.

# Create VLAN 10, VLAN 20, and VLAN 30, add 10GE1/0/1 to VLAN 10, 10GE1/0/2 to VLAN 20, and 10GE1/0/3 to VLAN 30.

<HUAWEI> system-view
[~HUAWEI] sysname Switch
[*HUAWEI] commit
[~Switch] vlan batch 10 20 30
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] port link-type trunk
[*Switch-10GE1/0/1] port trunk allow-pass vlan 10
[*Switch-10GE1/0/1] quit
[*Switch] interface 10ge 1/0/2
[*Switch-10GE1/0/2] port link-type trunk
[*Switch-10GE1/0/2] port trunk allow-pass vlan 20
[*Switch-10GE1/0/2] quit
[*Switch] interface 10ge 1/0/3
[*Switch-10GE1/0/3] port link-type trunk
[*Switch-10GE1/0/3] port trunk allow-pass vlan 30
[*Switch-10GE1/0/3] quit

# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.

[*Switch] interface vlanif 10
[*Switch-Vlanif10] ip address 10.8.8.4 24
[*Switch-Vlanif10] quit
[*Switch] interface vlanif 20
[*Switch-Vlanif20] ip address 10.9.9.4 24
[*Switch-Vlanif20] quit
[*Switch] interface vlanif 30
[*Switch-Vlanif30] ip address 10.10.10.3 24
[*Switch-Vlanif30] quit

Configure strict ARP learning.
```
[*Switch] arp learning strict
```
Configure ARP entry fixing.
# Set the ARP entry fixing mode to fixed-mac.
```
[*Switch] arp anti-attack entry-check fixed-mac enable
```

Configure gratuitous ARP packet discarding.

[*Switch] arp anti-attack gratuitous-arp drop

Configure rate limiting on ARP Miss messages based on source IP addresses.
# Set the maximum rate of ARP Miss messages triggered by the server with the IP address 10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss messages triggered by other user hosts to 20 pps.
```
[*Switch] arp miss anti-attack rate-limit source-ip maximum 20
[*Switch] arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40
```
Configure interface-based ARP entry limiting.
# Configure that 10GE1/0/1 can dynamically learn a maximum of 20 ARP entries.
```
[*Switch] interface 10ge 1/0/1
[*Switch-10GE1/0/1] arp limit vlan 10 20
[*Switch-10GE1/0/1] quit
```
Configure rate limiting on ARP packets based on source MAC addresses.
# Set the maximum rate of ARP packets from User1 with the source MAC address 1-1-1 to 10 pps.
```
[*Switch] arp anti-attack rate-limit source-mac 1-1-1 maximum 10
```
Configure rate limiting on ARP packets based on source IP addresses.
# Set the maximum rate of ARP packets from User3 with the source IP address 10.9.9.2 to 10 pps.
```
[*Switch] arp anti-attack rate-limit source-ip 10.9.9.2 maximum 10
[*Switch] commit
[~Switch] quit
```

Verify the configuration.

# Run the display arp learning strict command to check the global configuration of strict ARP entry learning.

<Switch> display arp learning strict
 The global arp learning strict state:enable                                                                                       
 Interface                           LearningStrictState                                                                            
------------------------------------------------------------                                                                        
------------------------------------------------------------                                                                        
 Total:0      Force-enable:0      Force-disable:0

# Run the display arp limit command to check the maximum number of ARP entries that the interface can dynamically learn.

<Switch> display arp limit interface 10ge 1/0/1
 Interface                         VLAN       Limit      Learnt                                                                     
---------------------------------------------------------------------------                                                         
 10GE1/0/1                           10          20           0                                                                     
---------------------------------------------------------------------------                                                         
 Total:1

# Run the display arp anti-attack rate-limit command to check the configuration of ARP anti-attack.

<Switch> display arp anti-attack rate-limit
Global ARP packet rate limit (pps)        : --                                                                                      
Suppress Rate of each destination IP (pps): 500
                                                                                                                                    
Total number of rate-limit configuration for source IP Address : 1                                                                  
Source IP          Suppress Rate(pps)                                                                                               
-------------------------------------------------------------------------------                                                     
10.9.9.2                      10                                     
-------------------------------------------------------------------------------                                                     
                                                                                                                                    
Total number of rate-limit configuration for MAC Address : 1                                                                        
Source MAC         Suppress Rate(pps)                                                                                               
-------------------------------------------------------------------------------                                                     
0001-0001-0001               10                                                                                                
Other                             30  
-------------------------------------------------------------------------------

# Run the display arp anti-attack entry-check command to check the configuration of fixed ARP modes.

<Switch> display arp anti-attack entry-check
Interface      Mode                                                                
------------------------------------------------------------------------------- 
  All        fix-mac                                                            
-------------------------------------------------------------------------------

# Run the display arp miss anti-attack rate-limit command to check the configuration of ARP Miss anti-attack.

<Switch> display arp miss anti-attack rate-limit
Global ARP miss rate limit (pps)          : 3000
                                                                                                                                    
Total number of rate-limit configuration for source IP Address : 1                                                                  
Source IP          Suppress Rate(pps)                                                                                               
-------------------------------------------------------------------------------                                                     
10.10.10.2/32                     40                                                                                                
Other                             20                                                                                                
-------------------------------------------------------------------------------

# Run the display arp packet statistics command to check statistics on ARP-based packets.

<Switch> display arp packet statistics
ARP Packets Received
  Total:                       90402
  Learnt Count:                   37
  Discard For Entry Limit:       146
  Discard For Speed Limit:     40529
  Discard For Proxy Suppress:      0
  Discard For Other:         8367601
ARP Packets Sent 
  Total:                        6447
  Request:                      6341
  Reply:                         106
  Gratuitous ARP:                  0
ARP-Miss Message Received
  Total:                          12
  Discard For Speed Limit:       194
  Discard For Other:             238

In the preceding command output, the numbers of ARP packets and ARP Miss messages discarded by the switch are displayed, indicating that the ARP security functions have taken effect.

Configuration File

# Configuration file of the Switch

#
sysname Switch
#
vlan batch 10 20 30
#
arp miss anti-attack rate-limit source-ip maximum 20                                       
arp anti-attack rate-limit source-ip 10.9.9.2 maximum 10                                    
arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum 40                            
arp anti-attack rate-limit source-mac 0001-0001-0001 maximum 10                            
arp learning strict                                                             
arp anti-attack entry-check fixed-mac enable                                    
arp anti-attack gratuitous-arp drop                              
#
interface Vlanif10                                                             
 ip address 10.8.8.4 255.255.255.0                                                 
#                    
interface Vlanif20                                                             
 ip address 10.9.9.4 255.255.255.0                                                 
#
interface Vlanif30                                                             
 ip address 10.10.10.3 255.255.255.0                                                 
#
interface 10GE1/0/1
 port link-type trunk                                                           
 port trunk allow-pass vlan 10                                                  
 arp limit vlan 10 20
 
#
interface 10GE1/0/2
 port link-type trunk                                                           
 port trunk allow-pass vlan 20                                                  
#
interface 10GE1/0/3
 port link-type trunk                                                           
 port trunk allow-pass vlan 30                                                  
#
return

Translation

简体中文

Download

Updated: 2021-09-17

Document ID: EDOC1100075347

Downloads: 100

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate