Can Static ARP Implement Binding of IP Addresses and MAC Addresses

NetEngine AR V300R019 CLI-based Configuration Guide - IP Service

Rate and give feedback:

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

Static ARP can implement binding of IP addresses and MAC addresses to prevent ARP entries from being updated by the pseudo ARP packets sent by attackers. However, even if static ARP is configured, the users who change IP addresses without permission can still access external networks. To address this problem, you must configure IP source guard (IPSG).

Dynamic ARP inspection (DAI) can also implement binding of IP addresses and MAC addresses. The application scenarios for static ARP, IPSG, and DAI are different. For details, see Table 2-5. You can deploy these functions according to service requirements.

Table 2-5 Differences among static ARP, IPSG, and DAI

Function	Scenario	Implementation
Static ARP	Static ARP entries apply to the following scenarios: Networks with important devices such as servers: Network attackers cannot update the ARP entries containing IP addresses of important devices on the router using ARP attack packets, ensuring communication between users and important devices. Networks on which MAC addresses of user devices are multicast MAC addresses: By default, a device does not learn ARP entries when receiving the ARP packets whose source MAC addresses are multicast MAC addresses. Scenario in which a network administrator wants to prevent a certain IP address from accessing devices: The network administrator binds the IP address to an unavailable MAC address.	Static ARP entries will not age and cannot be overridden by dynamic ARP entries. You can run the arp static command to manually configure a static ARP entry, or use automatic scanning and fixed ARP entries to batch configure static ARP entries.
IPSG	IPSG is used to prevent unauthorized users from forging IP addresses. For example, after IPSG is configured, the users who change IP addresses without permission on a network are not allowed to access external networks. In IP address forging scenarios, attackers use their owner MAC address but embezzle others' IP addresses for communication to obtain the attacked user's rights or the packets that should be sent to the attacked user.	IPSG is used to check IP packets against binding tables (dynamic and static DHCP binding tables). When forwarding an IP packet, the device compares the source IP address, source MAC address, interface, and VLAN in the IP packet with the information in the binding table. You can configure the parameters to be compared, for example, the source IP address and VLAN. If the parameters match the table information, the user is authorized and the device forwards the IP packet. If the parameters do not match the table information, the device considers that it is an attack packet and discards the packet. When configuring IPSG, you can run the user-bind static command to configure a static binding table.
DAI	DAI is used to prevent Man in The Middle (MiTM) attacks. If DAI is not configured, ARP entries of authorized users on the device may be updated by the pseudo ARP packets sent by attackers.	DAI is used to check ARP packets according to binding tables (dynamic and static DHCP binding tables). When receiving an ARP packet, the device compares the source IP address, source MAC address, interface, and VLAN in the ARP packet with the information in the binding table. You can configure the parameters to be compared, for example, the source IP address and VLAN. If the parameters match the table information, the user is authorized and the device allows the ARP packet to pass through. If the parameters do not match the table information, the device considers that it is an attack packet and discards the packet. When configuring DAI, you can run the user-bind static command to configure a static binding table.

Function

Scenario

Implementation

Static ARP

Static ARP entries apply to the following scenarios:

Networks with important devices such as servers: Network attackers cannot update the ARP entries containing IP addresses of important devices on the router using ARP attack packets, ensuring communication between users and important devices.
Networks on which MAC addresses of user devices are multicast MAC addresses: By default, a device does not learn ARP entries when receiving the ARP packets whose source MAC addresses are multicast MAC addresses.
Scenario in which a network administrator wants to prevent a certain IP address from accessing devices: The network administrator binds the IP address to an unavailable MAC address.

Static ARP entries will not age and cannot be overridden by dynamic ARP entries. You can run the arp static command to manually configure a static ARP entry, or use automatic scanning and fixed ARP entries to batch configure static ARP entries.

IPSG

IPSG is used to prevent unauthorized users from forging IP addresses. For example, after IPSG is configured, the users who change IP addresses without permission on a network are not allowed to access external networks.

In IP address forging scenarios, attackers use their owner MAC address but embezzle others' IP addresses for communication to obtain the attacked user's rights or the packets that should be sent to the attacked user.

IPSG is used to check IP packets against binding tables (dynamic and static DHCP binding tables).

When forwarding an IP packet, the device compares the source IP address, source MAC address, interface, and VLAN in the IP packet with the information in the binding table. You can configure the parameters to be compared, for example, the source IP address and VLAN.

If the parameters match the table information, the user is authorized and the device forwards the IP packet.
If the parameters do not match the table information, the device considers that it is an attack packet and discards the packet.

When configuring IPSG, you can run the user-bind static command to configure a static binding table.

DAI

DAI is used to prevent Man in The Middle (MiTM) attacks. If DAI is not configured, ARP entries of authorized users on the device may be updated by the pseudo ARP packets sent by attackers.

DAI is used to check ARP packets according to binding tables (dynamic and static DHCP binding tables).

When receiving an ARP packet, the device compares the source IP address, source MAC address, interface, and VLAN in the ARP packet with the information in the binding table. You can configure the parameters to be compared, for example, the source IP address and VLAN.

If the parameters match the table information, the user is authorized and the device allows the ARP packet to pass through.
If the parameters do not match the table information, the device considers that it is an attack packet and discards the packet.

When configuring DAI, you can run the user-bind static command to configure a static binding table.

Translation

简体中文

Download

Updated: 2023-05-18

Document ID: EDOC1100112351

Downloads: 755

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate

Related Version

Related Documents

Digital Signature File