Example for Configuring Static ARP
Networking Requirements
As shown in Figure 2-11, a router connects departments of a company and each department joins different VLANs. Hosts in the headquarters office and the file backup server are allocated manually configured IP addresses, and hosts in departments dynamically obtain IP addresses by using DHCP. Hosts in the marketing department can access the Internet and are often attacked by ARP packets. Attackers attack the router and modify dynamic ARP entries on the router. As a result, communication between hosts in the headquarters office and external devices is interrupted and hosts in departments fail to access the file backup server. The company requires that static ARP entries be configured on the router so that hosts in the headquarters office can communicate with external devices and hosts in departments can access the file backup server.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure static ARP entries for hosts in the headquarters office on the router to prevent ARP entries of the hosts in the headquarters office from being modified in ARP attack packets.
- Configure a static ARP entry for the file backup server on the router to prevent the ARP entry of the file backup server from being modified in ARP attack packets.
Procedure
- Configure static ARP entries for the host in the headquarters office on the router.
# Create VLAN10.
<Huawei> system-view [Huawei] sysname Router [Router] vlan 10 [Router-vlan10] quit
# Add Ethernet2/0/0 to VLAN 10.
[Router] interface ethernet 2/0/0 [Router-Ethernet2/0/0] port hybrid tagged vlan 10 [Router-Ethernet2/0/0] quit
# Configure an IP address for VLANIF 10.
[Router] interface vlanif 10 [Router-Vlanif10] ip address 10.164.1.20 255.255.255.0 [Router-Vlanif10] quit
# Configure static ARP entries for the host in the headquarters office. PC A is used as an example. The IP address of PC A is 10.164.1.1 and maps the MAC address 00e0-fc01-0001, the VLAN ID is 10 and the outbound interface is Ethernet2/0/0.
[Router] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface ethernet 2/0/0
# Configure static ARP entries for other hosts in the headquarters office. The configuration method is similar to that of PC A.
- Configure a static ARP entry for the file backup server on the router.
# Configure an IP address for GE3/0/0.
[Router] interface gigabitethernet 3/0/0 [Router-GigabitEthernet3/0/0] ip address 10.164.10.10 255.255.255.0 [Router-GigabitEthernet3/0/0] quit
# Configure a static ARP entry for the file backup server, The IP address 10.164.10.1/24 maps the MAC address 00e0-fc01-003a.
[Router] arp static 10.164.10.1 00e0-fc01-003a [Router] quit
- Verify the configuration.
# Run the display current-configuration command to view static ARP entries.
<Router> display current-configuration | include arp arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface Ethernet 2/0/0 arp static 10.164.10.1 00e0-fc01-003a
Configuration Files
Router configuration file
# sysname Router # vlan batch 10 20 30 # interface Ethernet2/0/0 port hybrid tagged vlan 10 # interface Vlanif10 ip address 10.164.1.20 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 10.164.10.10 255.255.255.0 # arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface Ethernet 2/0/0 arp static 10.164.10.1 00e0-fc01-003a # return