Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-ARP attack protection configuration | 273.04 KB |
Contents
Configuring ARP attack protection
ARP attack protection configuration task list
Configuring unresolvable IP attack protection
Configuring ARP source suppression
Enabling ARP black hole routing
Displaying and maintaining unresolvable IP attack protection
Configuring ARP packet rate limit
Configuring source MAC based ARP attack detection
Displaying and maintaining source MAC address based ARP attack detection
Configuring ARP packet source MAC consistency check
Configuring ARP active acknowledgement
Configuration example (on a DHCP server)
Authorized ARP configuration example (on a DHCP relay agent)
Configuring user validity check
Configuring ARP packet validity check
Configuring ARP restricted forwarding
Displaying and maintaining ARP detection
User validity check and ARP packet validity check configuration example
ARP restricted forwarding configuration example
Configuring ARP automatic scanning and fixed ARP
Configuring ARP gateway protection
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
· Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
· Sends a large number of IP packets for which ARP cannot find corresponding MAC addresses (called unresolvable IP packets) to have the receiving device busy with resolving IP addresses until its CPU is overloaded.
· Sends a large number of ARP packets to overload the CPU of the receiving device.
For more information about ARP attack features and types, see ARP Attack Protection Technology White Paper.
|
|
NOTE: The device operates in IRF or standalone (the default) mode. For information about IRF mode, see IRF Configuration Guide. |
ARP attack protection configuration task list
|
Tasks at a glance |
|
Flood prevention: · Configuring unresolvable IP attack protection (configured on gateways) ¡ Configuring ARP source suppression ¡ Enabling ARP black hole routing · Configuring ARP packet rate limit (configured on access devices) · Configuring source MAC based ARP attack detection (configured on gateways) |
|
User and gateway spoofing prevention: · Configuring ARP packet source MAC consistency check (configured on gateways) · Configuring ARP active acknowledgement (configured on gateways) · Configuring authorized ARP (configured on gateways) · Configuring ARP detection (configured on access devices) · Configuring ARP automatic scanning and fixed ARP (configured on gateways) · Configuring ARP gateway protection (configured on access devices) · Configuring ARP filtering (configured on access devices) |
Configuring unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations can occur.
· The device sends a large number of ARP requests, overloading the target subnets.
· The device keeps trying to resolve target IP addresses, overloading its CPU.
To protect the device from such unresolvable IP attacks, you can configure the following features:
· ARP source suppression—If the attack packets have the same source address, you can enable the ARP source suppression function, and set the maximum number of unresolvable IP packets that the device can receive from a host within 5 seconds. If the threshold is reached, the device stops resolving packets from the host until the 5 seconds elapse.
· ARP black hole routing—You can enable the ARP black hole routing function regardless of whether the attack packets have the same source address. After receiving an unresolvable IP packet, the device creates a black hole route destined for that IP address and drops all matching packets until the black hole route ages out.
Configuring ARP source suppression
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable ARP source suppression. |
arp source-suppression enable |
By default, ARP source suppression is disabled. |
|
3. Set the maximum number of unresolvable packets that the device can receive from a host within 5 seconds. |
arp source-suppression limit limit-value |
By default, the maximum number is 10. |
Enabling ARP black hole routing
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable ARP black hole routing. |
arp resolving-route enable |
By default, ARP black hole routing is enabled. |
Displaying and maintaining unresolvable IP attack protection
Execute display commands in any view.
|
Task |
Command |
|
Display ARP source suppression configuration information. |
display arp source-suppression |
Configuration example
Network requirements
As shown in Figure 1, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Switch) through an access switch.
A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack. To prevent such attacks, configure ARP source suppression and ARP black hole routing.
Configuration considerations
If the attack packets have the same source address, configure the ARP source suppression function as follows:
1. Enable ARP source suppression.
2. Set the threshold to 100. If the number of unresolvable IP packets received from a host within 5 seconds exceeds 100, the device stops resolving packets from the host until the 5 seconds elapse.
If the attack packets have different source addresses, enable the ARP black hole routing function on the gateway.
Configuration procedure
# Enable ARP source suppression and set the threshold to 100.
<Switch> system-view
[Switch] arp source-suppression enable
[Switch] arp source-suppression limit 100
# Enable ARP black hole routing.
[Switch] arp resolving-route enable
Configuring ARP packet rate limit
The ARP packet rate limit feature allows you to limit the rate of ARP packets to be delivered to the CPU. For example, if an attacker sends a large number of ARP packets to an ARP detection enabled device, the device CPU is overloaded because all ARP packets are redirected to the CPU for inspection. As a result, the device fails to provide other functions or even crash. To solve this problem, you can configure ARP packet rate limit.
Configuration guidelines
Configure this feature when ARP detection, ARP snooping, or ARP fast-reply is enabled, or when ARP flood attacks are detected.
Configuration procedure
This task sets a rate limit for ARP packets received on an interface. When the receiving rate of ARP packets on the interface exceeds the rate limit, the device drops the ARP packets.
To configure ARP packet rate limit:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
1. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
2. Enable ARP packet rate limit and configure the rate limit. |
arp rate-limit pps |
By default, ARP packet rate limit is disabled. |
Configuring source MAC based ARP attack detection
This feature checks the number of ARP packets received from the same MAC address within 5 seconds against a specific threshold. If the threshold is exceeded, the device adds the MAC address in an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the following methods:
· Monitor—Generates log messages.
· Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.
You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers.
Configuration procedure
To configure source MAC address based ARP attack detection:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable source MAC address based ARP attack detection and specify the handling method. |
arp source-mac { filter | monitor } |
By default, this feature is disabled. |
|
3. Configure the threshold. |
arp source-mac threshold threshold-value |
By default, the threshold is 30. |
|
4. Configure the aging timer for ARP attack entries. |
arp source-mac aging-time time |
By default, the lifetime is 300 seconds. |
|
5. (Optional.) Exclude specified MAC addresses from this detection. |
arp source-mac exclude-mac mac-address&<1-n> |
By default, no MAC address is excluded. |
|
|
NOTE: When an ARP attack entry expires, ARP packets sourced from the MAC address in the entry can be processed normally. |
Displaying and maintaining source MAC address based ARP attack detection
Execute display commands in any view.
|
Task |
Command |
|
Display ARP attack entries detected by source MAC address based ARP attack detection (in standalone mode). |
display arp source-mac { slot slot-number | interface interface-type interface-number } |
|
Display ARP attack entries detected by source MAC address based ARP attack detection (in IRF mode). |
display arp source-mac { chassis chassis-number slot slot-number | interface interface-type interface-number } |
Configuration example
Network requirements
As shown in Figure 2, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway may crash and cannot process requests from the clients. To solve this problem, configure source MAC address based ARP attack detection on the gateway.
Figure 2 Network diagram
Configuration considerations
An attacker may forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address. To prevent such attacks, configure the gateway in the following steps:
1. Enable source MAC address based ARP attack detection and specify the handling method as filter.
2. Set the threshold.
3. Set the lifetime for ARP attack entries.
4. Exclude the MAC address of the server from this detection.
Configuration procedure
# Enable source MAC address-based ARP attack detection, and specify the handling method as filter.
<Switch> system-view
[Switch] arp source-mac filter
# Set the threshold to 30.
[Switch] arp source-mac threshold 30
# Set the lifetime for ARP attack entries to 60 seconds.
[Switch] arp source-mac aging-time 60
# Exclude MAC address 0012-3f86-e94c from this detection.
[Switch] arp source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC consistency check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body, so that the gateway can learn correct ARP entries.
To enable ARP packet source MAC address consistency check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable ARP packet source MAC address consistency check. |
arp valid-check enable |
By default, ARP packet source MAC address consistency check is disabled. |
Configuring ARP active acknowledgement
Configure this feature on gateway devices to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries. For more information about its working mechanism, see ARP Attack Protection Technology White Paper.
To configure ARP active acknowledgement:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the ARP active acknowledgement function. |
arp active-ack enable |
By default, ARP active acknowledgement function is disabled. |
Configuring authorized ARP
|
|
NOTE: This feature can be configured only on Layer 3 Ethernet interfaces. For information about the operating mode of Ethernet interfaces, see Interface Configuration Guide. |
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries to prevent user spoofing and allows only authorized clients to access network resources.
Configuration procedure
To enable authorized ARP:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 3 Ethernet interface/Layer 3 Ethernet subinterface/Layer 3 aggregate interface/Layer 3 aggregate subinterface view. |
interface interface-type interface-number |
N/A |
|
3. Set the interface to operate in Layer 3 mode. |
port link-mode route |
For information about the operating mode of Ethernet interfaces, see Interface Configuration Guide. |
|
4. Enable authorized ARP on the interface. |
arp authorized enable |
By default, authorized ARP is disabled. |
Configuration example (on a DHCP server)
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command. |
Network requirements
Configure authorized ARP on GigabitEthernet 3/0/1 of Switch A (a DHCP server) to ensure user validity.
Configuration procedure
1. Configure Switch A:
# Configure interface GigabitEthernet 3/0/1 to operate in Layer 3 mode.
<SwitchA> system-view
[SwitchA] interface GigabitEthernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] port link-mode route
# Configure the IP address for GigabitEthernet 3/0/1.
[SwitchA-GigabitEthernet3/0/1] ip address 10.1.1.1 24
[SwitchA-GigabitEthernet3/0/1] quit
# Enable DHCP.
[SwitchA] dhcp enable
[SwitchA] dhcp server ip-pool 1
[SwitchA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-1] quit
# Enter Layer 3 Ethernet interface view.
[SwitchA] interface GigabitEthernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] port link-mode route
# Enable authorized ARP.
[SwitchA-GigabitEthernet3/0/1] arp authorized enable
[SwitchA-GigabitEthernet3/0/1] quit
2. After Host obtains an IP address from Switch A, display the authorized ARP entry information on Switch A.
[SwitchA] display arp all
Type: S-Static D-Dynamic I-Invalid
IP Address MAC Address VLAN Interface Aging Type
10.1.1.2 0012-3f86-e94c N/A GE3/0/1 2 D
The output shows that IP address 10.1.1.2 has been assigned to Host.
Host must use the IP address and MAC address in the authorized ARP entry to communicate with Switch A. Otherwise, the communication fails. Thus user validity is ensured.
Authorized ARP configuration example (on a DHCP relay agent)
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command. |
Network requirements
Configure authorized ARP on GigabitEthernet 3/0/2 of Switch B (a DHCP relay agent) to ensure user validity.
Configuration procedure
1. Configure Switch A:
# Configure interface GigabitEthernet 3/0/1 to operate in Layer 3 mode.
<SwitchA> system-view
[SwitchA] interface GigabitEthernet 3/0/1
[SwitchA-GigabitEthernet3/0/1] port link-mode route
# Configure the IP address for GigabitEthernet 3/0/1.
[SwitchA-GigabitEthernet3/0/1] ip address 10.1.1.1 24
[SwitchA-GigabitEthernet3/0/1] quit
# Enable DHCP.
[SwitchA] dhcp enable
[SwitchA] dhcp server ip-pool 1
[SwitchA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0
[SwitchA-dhcp-pool-1] gateway-list 10.10.1.1
[SwitchA-dhcp-pool-1] quit
[SwitchA] ip route-static 10.10.1.0 24 10.1.1.2
2. Configure Switch B:
# Enable DHCP.
<SwitchB> system-view
[SwitchB] dhcp enable
# Configure interface GigabitEthernet 3/0/1 to operate in Layer 3 mode.
[SwitchB-GigabitEthernet3/0/1] port link-mode route
# Configure the IP addresses of GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2.
[SwitchB-GigabitEthernet3/0/1] ip address 10.1.1.2 24
[SwitchB-GigabitEthernet3/0/1] quit
[SwitchB] interface GigabitEthernet 3/0/2
[SwitchB-GigabitEthernet3/0/2] port link-mode route
[SwitchB-GigabitEthernet3/0/2] ip address 10.10.1.1 24
# Enable DHCP relay agent on GigabitEthernet 3/0/2.
[SwitchB-GigabitEthernet3/0/2] dhcp select relay
# Add the DHCP server 10.1.1.1 to DHCP server group 1.
[SwitchB-GigabitEthernet3/0/2] dhcp relay server-address 10.1.1.1
# Enter Layer 3 Ethernet interface view.
[SwitchB-GigabitEthernet3/0/2] port link-mode route
# Enable authorized ARP.
[SwitchB-GigabitEthernet3/0/2] arp authorized enable
[SwitchB-GigabitEthernet3/0/2] quit
Verifying the configuration
After Host obtains an IP address from Switch A, display the authorized ARP information on Switch B.
[SwitchB] display arp all
Type: S-Static D-Dynamic I-Invalid
IP Address MAC Address VLAN Interface Aging Type
10.10.1.2 0012-3f86-e94c N/A GE3/0/2 2 D
The output shows that Switch A assigned an IP address 10.10.1.2 to Host.
Host must use the IP address and MAC address in the authorized ARP entry to communicate with Switch B. Otherwise, the communication fails. Thus the user validity is ensured.
Configuring ARP detection
ARP detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP detection does not check ARP packets received from ARP trusted ports.
ARP detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding functions.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies.
Configuring user validity check
Upon receiving an ARP packet from an ARP untrusted interface, the device compares the sender IP and MAC addresses against the static IP source guard binding entries, and the DHCP snooping entries. If a match is found from those entries, the ARP packet is considered valid and is forwarded. If no match is found, the ARP packet is considered invalid and is discarded.
Static IP source guard binding entries are created by using the ip source binding command. For more information, see "Configuring IP source guard."
DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide.
Configuration guidelines
· Make sure at least one among static IP source guard binding entries, and DHCP snooping entries is available for user validity check. Otherwise, ARP packets received from ARP untrusted ports are discarded.
· You must specify a VLAN for an IP source guard binding entry. Otherwise, no ARP packets can match the IP source guard binding entry.
Configuration procedure
To configure user validity check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Enable ARP detection. |
arp detection enable |
By default, ARP detection is disabled. |
|
4. Return to system view. |
quit |
N/A |
|
5. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
6. (Optional.) Configure the interface as a trusted interface excluded from ARP detection. |
arp detection trust |
By default, an interface is untrusted. |
Configuring ARP packet validity check
Enable validity check for ARP packets received on untrusted ports and specify the following objects to be checked:
· src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.
· dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
· ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-zero, all-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded.
To configure ARP packet validity check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Enable ARP detection. |
arp detection enable |
By default, ARP detection is disabled. |
|
4. Return to system view. |
quit |
N/A |
|
5. Enable ARP packet validity check and specify the objects to be checked. |
arp detection validate { dst-mac | ip | src-mac } * |
By default, ARP packet validity check is disabled. |
|
6. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
7. (Optional.) Configure the interface as a trusted interface excluded from ARP detection. |
arp detection trust |
By default, an interface is untrusted. |
Configuring ARP restricted forwarding
|
|
NOTE: ARP restricted forwarding does not apply to ARP packets with multiport MAC as their destination MAC addresses. |
ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted interfaces and have passed user validity check as follows:
· If the packets are ARP requests, they are forwarded through the trusted interface.
· If the packets are ARP replies, they are forwarded according to their destination MAC address. If no match is found in the MAC address table, they are forwarded through the trusted interface.
Configured user validity check before you configure ARP restricted forwarding.
To enable ARP restricted forwarding:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Enable ARP restricted forwarding. |
arp restricted-forwarding enable |
By default, ARP restricted forwarding is disabled. |
Displaying and maintaining ARP detection
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display the VLANs enabled with ARP detection. |
display arp detection |
|
Display the ARP detection statistics. |
display arp detection statistics [ interface interface-type interface-number ] |
|
Clear the ARP detection statistics. |
reset arp detection statistics [ interface interface-type interface-number ] |
User validity check and ARP packet validity check configuration example
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command. |
Network requirements
As shown in Figure 5, configure Switch B to perform ARP packet validity check and user validity check based on static IP source guard binding entries and DHCP snooping entries for connected hosts.
Configuration procedure
1. Add all interfaces on Switch B to VLAN 10, and configure the IP address of VLAN-interface 10 on Switch A. (Details not shown.)
2. Configure the DHCP server on Switch A, and configure DHCP address pool 0.
<SwitchA> system-view
[SwitchA] dhcp enable
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
3. Configure Host A (DHCP client) and Host B. (Details not shown.)
4. Configure Switch B:
# Enable DHCP snooping.
<SwitchB> system-view
[SwitchB] dhcp snooping enable
[SwitchB] interface GigabitEthernet 3/0/3
[SwitchB-GigabitEthernet3/0/3] dhcp snooping trust
[SwitchB-GigabitEthernet3/0/3] quit
# Enable ARP detection for VLAN 10.
[SwitchB] vlan 10
[SwitchB-vlan10] arp detection enable
[SwitchB-vlan10] quit
# Configure the upstream interface as a trusted interface (an interface is an untrusted interface by default).
[SwitchB-vlan10] interface GigabitEthernet 3/0/3
[SwitchB-GigabitEthernet3/0/3] arp detection trust
[SwitchB-GigabitEthernet3/0/3] quit
# Configure a static IP source guard binding entry on interface GigabitEthernet 3/0/2 for user validity check.
[SwitchB] interface GigabitEthernet 3/0/2
[SwitchB-GigabitEthernet3/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10
[SwitchB-GigabitEthernet3/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.
[SwitchB] arp detection validate dst-mac ip src-mac
After the configurations are completed, ARP packets received on interfaces GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries.
ARP restricted forwarding configuration example
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command. |
Network requirements
As shown in Figure 6, configure ARP restricted forwarding on Switch B where ARP detection is configured so that port isolation configured on Switch B can take effect for broadcast ARP requests.
Configuration procedure
1. Configure VLAN 10, add interfaces to VLAN 10, and configure the IP address of the VLAN-interface. (Details not shown.)
2. Configure the DHCP server on Switch A, and configure DHCP address pool 0.
<SwitchA> system-view
[SwitchA] dhcp enable
[SwitchA] dhcp server ip-pool 0
[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
3. Configure Host A (DHCP client) and Host B. (Details not shown.)
4. Configure Switch B:
# Enable DHCP snooping, and configure GigabitEthernet 3/0/3 as a DHCP-trusted port.
<SwitchB> system-view
[SwitchB] dhcp snooping enable
[SwitchB] interface GigabitEthernet 3/0/3
[SwitchB-GigabitEthernet3/0/3] dhcp snooping trust
[SwitchB-GigabitEthernet3/0/3] quit
# Enable ARP detection for user validity check.
[SwitchB] vlan 10
[SwitchB-vlan10] arp detection enable
# Configure GigabitEthernet 3/0/3 as an ARP-trusted port.
[SwitchB-vlan10] interface GigabitEthernet 3/0/3
[SwitchB-GigabitEthernet3/0/3] arp detection trust
[SwitchB-GigabitEthernet3/0/3] quit
# Configure a static IP source guard entry on interface GigabitEthernet 3/0/2.
[SwitchB] interface GigabitEthernet 3/0/2
[SwitchB-GigabitEthernet3/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10
[SwitchB-GigabitEthernet3/0/2] quit
# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.
[SwitchB] arp detection validate dst-mac ip src-mac
# Configure port isolation.
[SwitchB] port-isolate group 1
[SwitchB] interface GigabitEthernet 3/0/1
[SwitchB-GigabitEthernet3/0/1] port-isolate enable group 1
[SwitchB-GigabitEthernet3/0/1] quit
[SwitchB] interface GigabitEthernet 3/0/2
[SwitchB-GigabitEthernet3/0/2] port-isolate enable group 1
[SwitchB-GigabitEthernet3/0/2] quit
After the preceding configurations are complete, ARP packets received on interfaces GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 have their MAC and IP addresses checked first, and then are checked against the static IP source guard binding entries and finally DHCP snooping entries. However, ARP broadcast requests sent from Host A can pass the check on Switch B and reach Host B. Port isolation fails.
# Enable ARP restricted forwarding.
[SwitchB] vlan 10
[SwitchB-vlan10] arp restricted-forwarding enable
[SwitchB-vlan10] quit
After the configuration, Switch B forwards ARP broadcast requests from Host A to Switch A through the trusted interface GigabitEthernet 3/0/3, and thus Host B cannot receive such packets. Port isolation works normally.
Configuring ARP automatic scanning and fixed ARP
ARP automatic scanning is usually used together with the fixed ARP feature in small-scale networks such as a cybercafe.
With ARP automatic scanning enabled on an interface, the device automatically scans neighbors on the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates dynamic ARP entries.
Fixed ARP allows the device to convert existing dynamic ARP entries (including those generated through ARP automatic scanning) to static ARP entries. The fixed ARP feature prevents ARP entries from being modified by attackers. Static ARP entries can also be manually configured by the arp static command.
Configuration guidelines
Follow these guidelines when you configure ARP automatic scanning and fixed ARP:
· IP addresses existing in ARP entries are not scanned.
· ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
· The arp fixup command is a one-time operation and converts existing dynamic ARP entries to static ones.
· The device has a limit on the total number of static ARP entries, including the manually configured and the converted. As a result, some dynamic ARP entries may fail the conversion.
· To delete a specific static ARP entry converted from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries.
Configuration procedure
To configure ARP automatic scanning and fixed ARP:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 3 interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable ARP automatic scanning. |
arp scan [ start-ip-address to end-ip-address ] |
N/A |
|
4. Return to system view. |
quit |
N/A |
|
5. Enable fixed ARP. |
arp fixup |
N/A |
Configuring ARP gateway protection
Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.
When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet normally.
Configuration guidelines
Follow these guidelines when you configure ARP gateway protection:
· You can enable ARP gateway protection for a maximum of eight gateways on an interface.
· Do not configure both the arp filter source and arp filter binding commands on an interface.
· If ARP gateway protection works with ARP detection, ARP snooping, and ARP fast-reply, ARP gateway protection applies first.
Configuration procedure
To configure ARP gateway protection:
|
Step |
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
|
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
|
3. Enable ARP gateway protection for a specific gateway. |
arp filter source ip-address |
By default, ARP gateway protection is disabled. |
|
Configuration example
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command. |
Network requirements
As shown in Figure 7, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B.
Configure Switch B to block such attacks.
Configuration procedure
# Configure ARP gateway protection on Switch B.
<SwitchB> system-view
[SwitchB] interface GigabitEthernet 3/0/1
[SwitchB-GigabitEthernet3/0/1] arp filter source 10.1.1.1
[SwitchB-GigabitEthernet3/0/1] quit
[SwitchB] interface GigabitEthernet 3/0/2
[SwitchB-GigabitEthernet3/0/2] arp filter source 10.1.1.1
After the configuration is complete, GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway.
Configuring ARP filtering
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled normally. If not, the packet is discarded.
Configuration guidelines
Follow these guidelines when you configure ARP filtering:
· You can configure a maximum of eight permitted entries on an interface.
· Do not configure both the arp filter source and arp filter binding commands on an interface.
· If ARP filtering works with ARP detection, ARP snooping, and ARP fast-reply, ARP filtering applies first.
Configuration procedure
To configure ARP filtering:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable ARP filtering and configure a permitted entry. |
arp filter binding ip-address mac-address |
By default, ARP filtering is disabled. |
Configuration example
|
|
NOTE: By default, Ethernet, VLAN, and aggregate interfaces are down. To configure such an interface, bring the interface up by executing the undo shutdown command. |
Network requirements
As shown in Figure 8, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233 respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234.
Configure ARP filtering on GigabitEthernet 3/0/1 and GigabitEthernet 3/0/2 of Switch B to permit ARP packets from the two hosts only.
Configuration procedure
# Configure ARP filtering on Switch B.
<SwitchB> system-view
[SwitchB] interface GigabitEthernet 3/0/1
[SwitchB-GigabitEthernet3/0/1] arp filter binding 10.1.1.2 000f-e349-1233
[SwitchB-GigabitEthernet3/0/1] quit
[SwitchB] interface GigabitEthernet 3/0/2
[SwitchB-GigabitEthernet3/0/2] arp filter binding 10.1.1.3 000f-e349-1234
After the configuration is complete, GigabitEthernet 3/0/1 permits ARP packets from Host A, and discards other ARP packets. GigabitEthernet 3/0/2 permits ARP packets from Host B and discards other ARP packets.
