Address Resolution Protocol (ARP) is used
to resolve an IP address into a data link layer address.
An IP address is the address of a host at
the network layer. To send a network layer packet to a destination host, the
device must know the data link layer address (MAC address, for example) of the
destination host or the next hop. To this end, the IP address must be resolved
into the corresponding data link layer address.
Unless otherwise
stated, a data link layer address in this chapter refers to a 48-bit Ethernet
MAC address.
1.1.2 ARP Message Format
ARP messages are classified as ARP request messages
and ARP reply messages. Figure
1-1 illustrates the format of these two types of ARP messages.
l
As for an ARP request, all the fields except the
hardware address of the receiver field are set. The hardware address of the
receiver is what the sender requests for.
l
As for an ARP reply, all the fields are set.
Figure 1-1
ARP message format
Table 1-1 describes the
fields of an ARP packet.
Table 1-1 Description on the fields of an ARP packet
|
Field
|
Description
|
|
Hardware
Type
|
Type of
the hardware interface. Refer to Table 1-2 for the information about the
field values.
|
|
Protocol type
|
Type of protocol address to be mapped.
0x0800 indicates an IP address.
|
|
Length of hardware address
|
Hardware address length (in bytes)
|
|
Length of protocol address
|
Protocol address length (in bytes)
|
|
Operator
|
Indicates the type of a data packets,
which can be:
l
1: ARP request packets
l
2: ARP reply packets
l
3: RARP request packets
l
4: RARP reply packets
|
|
Hardware address of the sender
|
Hardware address of the sender
|
|
IP address of the sender
|
IP address of the sender
|
|
Hardware address of the receiver
|
l
For an ARP request packet, this field is null.
l
For an ARP reply packet, this field carries the
hardware address of the receiver.
|
|
IP address of the receiver
|
IP address of the receiver
|
Table 1-2 Description on the values of
the hardware type field
|
Value
|
Description
|
|
1
|
Ethernet
|
|
2
|
Experimental Ethernet
|
|
3
|
X.25
|
|
4
|
Proteon ProNET (Token Ring)
|
|
5
|
Chaos
|
|
6
|
IEEE802.X
|
|
7
|
ARC network
|
In an Ethernet, the MAC addresses of two
hosts must be available for the two hosts to communicate with each other. Each
host in an Ethernet maintains an ARP table, where the latest used IP
address-to-MAC address mapping entries are stored. S3100 series Ethernet switches
provide the display arp command to display the information about ARP
mapping entries.
ARP entries in an S3100 series Ethernet
switch can either be static entries or dynamic entries, as described in Table 1-3.
Table 1-3 ARP entries
|
ARP entry
|
Generation Method
|
Maintenance Mode
|
|
Static ARP entry
|
Manually configured
|
Manual maintenance
|
|
Dynamic ARP entry
|
Dynamically generated
|
ARP entries of this type age with time.
The aging period is set by the ARP aging timer.
|
Figure 1-2 ARP process
Suppose that Host A and Host B are on the
same subnet and that Host A sends a message to Host B. The resolution process
is as follows:
1)
Host A looks in its ARP mapping table to see whether
there is an ARP entry for Host B. If Host A finds it, Host A uses the MAC
address in the entry to encapsulate the IP packet into a data link layer frame
and sends the frame to Host B.
2)
If Host A finds no entry for Host B, Host A
buffers the packet and broadcasts an ARP request, in which the source IP
address and source MAC address are respectively the IP address and MAC address
of Host A and the destination IP address and MAC address are respectively the
IP address of Host B and an all-zero MAC address. Because the ARP request is
sent in broadcast mode, all hosts on this subnet can receive the request, but
only the requested host (namely, Host B) will process the request.
3)
Host B compares its own IP address with the
destination IP address in the ARP request. If they are the same, Host B saves
the source IP address and source MAC address into its ARP mapping table,
encapsulates its MAC address into an ARP reply, and unicasts the reply to Host
A.
4)
After receiving the ARP reply, Host A adds the
MAC address of Host B into its ARP mapping table for subsequent packet
forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out.
Usually ARP dynamically implements and
automatically seeks mappings from IP addresses to MAC addresses, without manual
intervention.
1.1.5 Introduction to ARP Source MAC Address
Consistency Check
An attacker may use the IP or MAC address
of another host as the sender IP or MAC address of ARP packets. These ARP
packets can cause other network devices to update the corresponding ARP entries
incorrectly, thus interrupting network traffic.
To prevent such attacks, you can configure
ARP source MAC address consistency check on S3100 series Ethernet switches
(operating as gateways). With this function, the device can verify whether an
ARP packet is valid by checking the sender MAC address of the ARP packet
against the source MAC address in the Ethernet header.
l
If they are consistent, the packet passes the
check and the switch learns the ARP entry.
l
If they are not consistent, the ARP packet is
considered invalid and the corresponding ARP entry is not learned.
I. Man-in-the-middle attack
According to the ARP design, after
receiving an ARP response, a host adds the IP-to-MAC mapping of the sender into
its ARP mapping table even if the MAC address is not the real one. This can
reduce the ARP traffic in the network, but it also makes ARP spoofing possible.
In Figure 1-3, Host A communicates with Host
C through a switch. To intercept the traffic between Host A and Host C, the
hacker (Host B) forwards invalid ARP reply messages to Host A and Host C
respectively, causing the two hosts to update the MAC address corresponding to the
peer IP address in their ARP tables with the MAC address of Host B. Then, the traffic
between Host A and C will pass through Host B which acts like a
“man-in-the-middle” that may intercept and modify the communication
information. Such attack is called man-in-the-middle attack.
Figure 1-3 Network diagram for ARP
man-in-the-middle attack
II. ARP attack detection
To guard against the man-in-the-middle
attacks launched by hackers or attackers, S3100 series Ethernet switches
support the ARP attack detection function. All ARP (both request and response)
packets passing through the switch are redirected to the CPU, which checks the
validity of all the ARP packets by using the DHCP snooping table or the
manually configured IP binding table. For description of DHCP snooping table
and the manually configured IP binding table, refer to the DHCP snooping section
in the part discussing DHCP in this manual.
After you enable the ARP attack detection
function, the switch will check the following items of an ARP packet: the
source MAC address, source IP address, port number of the port receiving the
ARP packet, and the ID of the VLAN the port resides. If these items match the
entries of the DHCP snooping table or the manual configured IP binding table,
the switch will forward the ARP packet; if not, the switch discards the ARP packet.
l
With trusted ports configured, ARP packets
coming from the trusted ports will not be checked, while those from other ports
will be checked through the DHCP snooping table or the manually configured IP
binding table.
l
With the ARP restricted forwarding function
enabled, ARP request packets are forwarded through trusted ports only; ARP
response packets are forwarded according to the MAC addresses in the packets,
or through trusted ports if the MAC address table contains no such destination
MAC addresses.
To prevent the
man-in-the-middle attack, a switch enabled with the ARP attack detection
function delivers ARP packets to the CPU to check the validity of the packets. However,
this causes a new problem: If an attacker sends a large number of ARP packets
to a port of a switch, the CPU will get overloaded, causing other functions to
fail, and even the whole device to break down. To guard against such attacks, S3100
series Ethernet switches support the ARP packets rate limit function, which
will shut down the attacked port, thus preventing serious impact on the CPU.
With this function enabled on a port, the
switch will count the ARP packets received on the port within each second. If
the number of ARP packets received on the port per second exceeds the
preconfigured value, the switch considers that the port is attacked by ARP
packets. In this case, the switch will shut down the port. As the port does not
receive any packet, the switch is protected from the ARP packet attack.
At the same time, the switch supports
automatic recovery of port state. If a port is shut down by the switch due to
high packet rate, the port will revert to the Up state after a configured
period of time.
The following are
the characteristics of gratuitous ARP packets:
l
Both source and destination IP addresses carried
in a gratuitous ARP packet are the local addresses, and the source MAC address
carried in it is the local MAC addresses.
l
If a device finds that the IP addresses carried
in a received gratuitous packet conflict with those of its own, it returns an
ARP response to the sending device to notify of the IP address conflict.
By sending gratuitous ARP packets, a
network device can:
l
Determine whether or not IP address conflicts
exist between it and other network devices.
l
Trigger other network devices to update its
hardware address stored in their caches.
The gratuitous ARP packet learning
function:
When the gratuitous ARP packet learning
function is enabled on a switch and the switch receives a gratuitous ARP
packet, the switch can add the information carried in the packet to its own
dynamic ARP mapping table if it finds no corresponding ARP entry for the ARP
packet in the cache.
1.2 ARP
Configuration
Table 1-4
Configure ARP basic functions
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Add a static ARP entry
|
arp static ip-address mac-address [ vlan-id
interface-type interface-number ]
|
Optional
By default, the ARP mapping table is
empty, and the address mapping entries are created dynamically by ARP.
|
|
Configure the ARP aging timer
|
arp timer aging aging-time
|
Optional
By default, the ARP aging timer is set to
20 minutes.
|
|
Enable the
ARP entry checking function (that is, disable the switch from learning ARP
entries with multicast MAC addresses)
|
arp
check enable
|
Optional
By
default, the ARP entry checking function is enabled.
|
Caution:
l
Static ARP entries are valid as long as the Ethernet
switch operates normally. But some operations, such as removing a VLAN, or
removing a port from a VLAN, will make the corresponding ARP entries invalid
and therefore removed automatically.
l
As for the arp static command, the value
of the vlan-id argument must be the ID of an existing VLAN, and the port
identified by the interface-type and interface-number arguments must
belong to the VLAN.
l
Currently, static ARP entries cannot be
configured on the ports of an aggregation group.
Table 1-5
Configure ARP Source MAC Address Consistency Check
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable ARP source MAC address consistency
check
|
arp anti-attack
valid-check enable
|
Required
Disabled by default.
|
Table 1-6
Configure the ARP attack detection function
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable DHCP snooping
|
dhcp-snooping
|
Required
By default, the DHCP snooping function is
disabled.
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Specify the current port as a trusted
port
|
dhcp-snooping trust
|
Required
By default, after DHCP snooping is
enabled, all ports of a switch are untrusted ports.
|
|
Quit to system view
|
quit
|
—
|
|
Enter VLAN view
|
vlan vlan-id
|
—
|
|
Enable the ARP attack detection function
|
arp detection enable
|
Required
By default, ARP attack detection is
disabled on all ports.
|
|
Quit to system view
|
quit
|
—
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Configure the port as an ARP trusted port
|
arp detection trust
|
Optional
By default, a port is an untrusted port.
|
|
Quit to system view
|
quit
|
—
|
|
Enter VLAN view
|
vlan vlan-id
|
—
|
|
Enable ARP restricted forwarding
|
arp restricted-forwarding enable
|
Optional
By default, the ARP restricted forwarding
function is disabled. The device forwards legal ARP packets through all its ports.
|
l
You need to enable DHCP snooping and configure DHCP
snooping trusted ports on the switch before configuring the ARP attack
detection function. For more information about DHCP snooping, refer to the DHCP
snooping section in the part discussing DHCP in this manual.
l
Generally, the uplink port of a switch is
configured as a trusted port.
l
Before enabling ARP restricted forwarding, make
sure you enable ARP attack detection and configure ARP trusted ports.
l
Currently, the VLAN ID of an IP-to-MAC binding
configured on a port of an S3100 series Ethernet switch is the same as the default
VLAN ID of the port. If the VLAN tag of an ARP packet is different from the default
VLAN ID of the receiving port, the ARP packet cannot pass the ARP attack
detection based on the IP-to-MAC bindings.
l
When you use the ARP attack detection in
cooperation with VLAN mapping, you need to enable ARP attack detection in both
the original VLAN and the mapped VLAN. For more information about VLAN mapping,
refer to VLAN-VPN Operation in this manual.
l
You are not recommended to configure ARP attack
detection on the ports of an aggregation group.
Table 1-7
Configure the ARP packet rate limit function
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter Ethernet port view
|
interface interface-type interface-number
|
—
|
|
Enable the ARP packet rate limit function
|
arp rate-limit enable
|
Required
By default, the ARP packet rate limit
function is disabled on a port.
|
|
Configure the maximum ARP packet rate
allowed on the port
|
arp rate-limit rate
|
Optional
By default, the maximum ARP packet rate
allowed on a port is 15 pps.
|
|
Quit to system view
|
quit
|
—
|
|
Enable the port state auto-recovery
function
|
arp protective-down recover enable
|
Optional
By default, the port state auto-recovery
function is disabled.
|
|
Configure the port state auto-recovery
interval
|
arp protective-down recover interval interval
|
Optional
By default, when the port state
auto-recovery function is enabled, the port state auto-recovery interval is
300 seconds.
|
l
You need to enable the port state auto-recovery
feature before you can configure the port state auto-recovery interval.
l
You are not recommended to configure the ARP
packet rate limit function on the ports of an aggregation group.
1.3 Gratuitous ARP Packet Configuration
Table 1-8 Configure
the gratuitous ARP packet
|
Operation
|
Command
|
Remarks
|
|
Enter
system view
|
system-view
|
—
|
|
Enable the
gratuitous ARP packet learning function
|
gratuitous-arp-learning
enable
|
Optional
By
default, the gratuitous ARP packet learning function is disabled.
|
The sending of
gratuitous ARP packets is enabled as long as an S3100 switch operates. No
command is needed for enabling this function. That is, the device sends
gratuitous ARP packets whenever a VLAN interface is enabled (such as when a
link is enabled or an IP address is configured for the VLAN interface) or
whenever the IP address of a VLAN interface is changed.
After the above configuration, you can execute
the display command in any view to display the running of the ARP
configuration, and to verify the effect of the configuration.
You can execute the reset command in
user view to clear ARP entries.
Table 1-9 Display
and debug ARP
|
Operation
|
Command
|
Remarks
|
|
Display specific ARP mapping table
entries
|
display arp [ static | dynamic | ip-address ]
|
Available in any view.
|
|
Display the ARP mapping entries related
to a specified string in a specified way
|
display arp [ dynamic | static ] | { begin | include
| exclude } regular-expression
|
|
Display the number of the ARP entries of
a specified type
|
display arp count [ [ dynamic | static ] [ | {
begin | include | exclude } regular-expression
] | ip-address ]
|
|
Display the statistics about the untrusted
ARP packets dropped by the specified port
|
display arp
detection statistics interface interface-type
interface-number
|
|
Display the setting of the ARP aging
timer
|
display arp timer aging
|
|
Clear specific ARP entries
|
reset arp
[ dynamic | static | interface interface-type
interface-number ]
|
Available in user view.
|
1.5.1 ARP Basic
Configuration Example
I. Network requirement
l
Disable ARP entry check on the switch.
l
Set the aging time for dynamic ARP entries to 10
minutes.
l
Add a static ARP entry, with the IP address
being 192.168.1.1, the MAC address being 000f-e201-0000, and the outbound port
being Ethernet1/0/10 of VLAN 1.
II. Configuration procedure
<Sysname> system-view
[Sysname] undo arp check enable
[Sysname] arp timer aging 10
[Sysname] arp static 192.168.1.1 000f-e201-0000
1 Ethernet1/0/10
I. Network requirements
As shown in Figure 1-4, Ethernet1/0/1 of Switch A (S3100)
connects to DHCP Server; Ethernet1/0/2 connects to Client A, Ethernet1/0/3
connects to Client B. Ethernet1/0/1, Ethernet1/0/2 and Ethernet1/0/3 belong to
VLAN 1.
l
Enable DHCP snooping on Switch A and specify
Ethernet1/0/1 as the DHCP snooping trusted port.
l
Enable ARP attack detection in VLAN 1 to prevent
ARP man-in-the-middle attacks, and specify Ethernet1/0/1 as the ARP trusted
port.
l
Enable the ARP packet rate limit function on
Ethernet1/0/2 and Ethernet1/0/3 of Switch A, so as to prevent Client A and Client
B from attacking Switch A through ARP traffic.
l
Enable the port state auto recovery function on
the ports of Switch A, and set the recovery interval to 200 seconds.
II. Network diagram
Figure 1-4 ARP attack detection and
packet rate limit configuration
III. Configuration procedure
# Enable DHCP snooping on Switch A.
<SwitchA> system-view
[SwitchA] dhcp-snooping
# Specify Ethernet1/0/1 as the DHCP
snooping trusted port and the ARP trusted port.
[SwitchA] interface Ethernet1/0/1
[SwitchA-Ethernet1/0/1] dhcp-snooping
trust
[SwitchA-Ethernet1/0/1] arp detection
trust
[SwitchA-Ethernet1/0/1] quit
# Enable ARP attack detection on all ports
in VLAN 1.
[SwitchA] vlan 1
[SwitchA-vlan1] arp detection enable
[SwitchA-vlan1] quit
# Enable the ARP packet rate limit function
on Ethernet1/0/2, and set the maximum ARP packet rate allowed on the port to 20
pps.
[SwitchA] interface Ethernet1/0/2
[SwitchA-Ethernet1/0/2] arp
rate-limit enable
[SwitchA-Ethernet1/0/2] arp
rate-limit 20
[SwitchA-Ethernet1/0/2] quit
# Enable the ARP packet rate limit function
on Ethernet1/0/3, and set the maximum ARP packet rate allowed on the port to 50
pps.
[SwitchA] interface Ethernet1/0/3
[SwitchA-Ethernet1/0/3] arp
rate-limit enable
[SwitchA-Ethernet1/0/3] arp
rate-limit 50
[SwitchA-Ethernet1/0/3] quit
# Configure the port state auto recovery
function, and set the recovery interval to 200 seconds.
[SwitchA] arp protective-down recover
enable
[SwitchA] arp protective-down recover
interval 200
