09-Security Configuration Guide

HomeSupportResource CenterSwitchesH3C S6300 Switch SeriesH3C S6300 Switch SeriesTechnical DocumentsConfigureConfiguration GuidesH3C S6300 Switch Series Configuration Guides-Release 243x-6W10009-Security Configuration Guide
13-ARP attack protection configuration
Title Size Download
13-ARP attack protection configuration 209.56 KB

Contents

Configuring ARP attack protection· 1

ARP attack protection configuration task list 1

Configuring unresolvable IP attack protection· 1

Configuring ARP source suppression· 2

Configuring ARP blackhole routing· 2

Displaying and maintaining unresolvable IP attack protection· 2

Configuration example· 3

Configuring ARP packet rate limit 3

Configuration guidelines· 4

Configuration procedure· 4

Configuring source MAC-based ARP attack detection· 4

Configuration procedure· 5

Displaying and maintaining source MAC-based ARP attack detection· 5

Configuration example· 5

Configuring ARP packet source MAC consistency check· 6

Configuring ARP active acknowledgement 7

Configuring authorized ARP· 7

Configuration procedure· 7

Configuring ARP attack detection· 8

Configuring user validity check· 8

Configuring ARP packet validity check· 9

Configuring ARP restricted forwarding· 9

Enabling ARP attack detection logging· 10

Displaying and maintaining ARP attack detection· 10

User validity check and ARP packet validity check configuration example· 11

ARP restricted forwarding configuration example· 12

Configuring ARP scanning and fixed ARP· 14

Configuration restrictions and guidelines· 14

Configuration procedure· 14

Configuring ARP gateway protection· 14

Configuration guidelines· 15

Configuration procedure· 15

Configuration example· 15

Configuring ARP filtering· 16

Configuration guidelines· 16

Configuration procedure· 16

Configuration example· 16

Configuring ARP sender IP address checking· 17

 


Configuring ARP attack protection

ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks.

Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:

·           Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.

·           Sends a large number of unresolvable IP packets to have the receiving device busy with resolving IP addresses until its CPU is overloaded. Unresolvable IP packets refer to IP packets for which ARP cannot find corresponding MAC addresses.

·           Sends a large number of ARP packets to overload the CPU of the receiving device.

For more information about ARP attack features and types, see ARP Attack Protection Technology White Paper.

ARP attack protection configuration task list

Tasks at a glance

Flood prevention:

·          Configuring unresolvable IP attack protection (configured on gateways)

¡  Configuring ARP source suppression

¡  Configuring ARP blackhole routing

·          Configuring ARP packet rate limit (configured on access devices)

·          Configuring source MAC-based ARP attack detection (configured on gateways)

User and gateway spoofing prevention:

·          Configuring ARP packet source MAC consistency check (configured on gateways)

·          Configuring ARP active acknowledgement (configured on gateways)

·          Configuring authorized ARP (configured on gateways)

·          Configuring ARP attack detection (configured on access devices)

·          Configuring ARP scanning and fixed ARP (configured on gateways)

·          Configuring ARP gateway protection (configured on access devices)

·          Configuring ARP filtering (configured on access devices)

·          Configuring ARP sender IP address checking (configured on gateways)

 

Configuring unresolvable IP attack protection

If a device receives a large number of unresolvable IP packets from a host, the following situations can occur:

·           The device sends a large number of ARP requests, overloading the target subnets.

·           The device keeps trying to resolve target IP addresses, overloading its CPU.

To protect the device from such IP attacks, you can configure the following features:

·           ARP source suppressionStops resolving packets from a host if the number of unresolvable IP packets from the host exceeds the upper limit within 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.

·           ARP blackhole routingCreates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer (25 seconds) is reached or the route becomes reachable.

After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request. If the resolution fails, the device continues probing according to the probe settings. If the IP address resolution succeeds in a probe, the device converts the blackhole route to a normal route. If an ARP blackhole route ages out before the device finishes all probes, the device deletes the blackhole route and does not perform the remaining probes.

This feature is applicable regardless of whether the attack packets have the same source addresses.

Configuring ARP source suppression

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable ARP source suppression.

arp source-suppression enable

By default, ARP source suppression is disabled.

3.      Set the maximum number of unresolvable packets that the device can receive from a host within 5 seconds.

arp source-suppression limit limit-value

By default, the maximum number is 10.

 

Configuring ARP blackhole routing

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable ARP blackhole routing.

arp resolving-route enable

By default, ARP blackhole routing is enabled.

3.      (Optional.) Set the interval at which the device probes ARP blackhole routes.

arp resolving-route probe-interval interval

The default setting is 1 second.

4.      (Optional.) Set the number of ARP blackhole route probes.

arp resolving-route probe-count count

The default setting is one probe.

 

Displaying and maintaining unresolvable IP attack protection

Execute display commands in any view.

 

Task

Command

Display ARP source suppression configuration information.

display arp source-suppression

 

Configuration example

Network requirements

As shown in Figure 1, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch.

A large number of ARP requests are detected in the office area and are considered as the consequence of an unresolvable IP attack. To prevent the attack, configure ARP source suppression or ARP blackhole routing.

Figure 1 Network diagram

 

Configuration procedure

·           If the attack packets have the same source address, configure ARP source suppression:

# Enable ARP source suppression.

<Device> system-view

[Device] arp source-suppression enable

# Configure the device to receive a maximum of 100 unresolvable packets from a host in 5 seconds.

[Device] arp source-suppression limit 100

·           If the attack packets have different source addresses, configure ARP blackhole routing:

# Enable ARP blackhole routing.

[Device] arp resolving-route enable

Configuring ARP packet rate limit

The ARP packet rate limit feature allows you to limit the rate of ARP packets delivered to the CPU. An ARP attack detection-enabled device will send all received ARP packets to the CPU for inspection. Processing excessive ARP packets will make the device malfunction or even crash. To solve this problem, configure ARP packet rate limit.

Configuration guidelines

Configure this feature when MFF, ARP fast-reply, ARP attack detection, or ARP snooping is enabled, or when ARP flood attacks are detected.

Configuration procedure

This task sets a rate limit for ARP packets received on an interface. When the number of ARP packets that the interface receives within a period exceeds the rate limit, those packets are discarded.

You can enable sending of notifications to the SNMP module or enable logging for ARP packet rate limit.

·           If notification sending is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a notification to the SNMP module. You must use the snmp-agent target-host command to set the notification type and target host. For more information about notifications, see Network Management and Monitoring Command Reference.

·           If logging for ARP packet rate limit is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.

To configure ARP packet rate limit:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      (Optional.) Enable notification sending for ARP packet rate limit.

snmp-agent trap enable arp [ rate-limit ]

By default, notification sending for ARP packet rate limit is disabled.

3.      (Optional.) Enable logging for ARP packet rate limit.

arp rate-limit log enable

By default, logging for ARP packet rate limit is disabled.

4.      (Optional.) Set the notification and log message sending interval.

arp rate-limit log interval seconds

By default, the device sends notifications and log messages at an interval of 60 seconds.

5.      Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.

interface interface-type interface-number

N/A

6.      Enable ARP packet rate limit and configure the rate limit.

arp rate-limit [ pps ]

By default, ARP packet rate limit is enabled, and the rate limit is 100 pps.

 

 

NOTE:

If you enable notification sending and logging for ARP packet rate limit on a Layer 2 aggregate interface, the features apply to all aggregation member ports.

 

Configuring source MAC-based ARP attack detection

This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry. Before the entry is aged out, the device handles the attack by using either of the following methods:

·           MonitorOnly generates log messages.

·           Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.

You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers.

Configuration procedure

To configure source MAC-based ARP attack detection:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable source MAC-based ARP attack detection and specify the handling method.

arp source-mac { filter | monitor }

By default, this feature is disabled.

3.      Configure the threshold.

arp source-mac threshold threshold-value

The default threshold is 30.

4.      Configure the aging timer for ARP attack entries.

arp source-mac aging-time time

By default, the lifetime is 300 seconds.

5.      (Optional.) Exclude specific MAC addresses from this detection.

arp source-mac exclude-mac mac-address&<1-10>

By default, no MAC address is excluded.

 

 

NOTE:

When an ARP attack entry is aged out, ARP packets sourced from the MAC address in the entry can be processed correctly.

 

Displaying and maintaining source MAC-based ARP attack detection

Execute display commands in any view.

 

Task

Command

Display ARP attack entries detected by source MAC-based ARP attack detection.

display arp source-mac { slot slot-number | interface interface-type interface-number }

 

Configuration example

Network requirements

As shown in Figure 2, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway.

Figure 2  Network diagram

 

Configuration considerations

An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address. To prevent such attacks, configure the gateway in the following steps:

1.      Enable source MAC-based ARP attack detection and specify the handling method as filter.

2.      Set the threshold.

3.      Set the lifetime for ARP attack entries.

4.      Exclude the MAC address of the server from this detection.

Configuration procedure

# Enable source MAC-based ARP attack detection, and specify the handling method as filter.

<Device> system-view

[Device] arp source-mac filter

# Set the threshold to 30.

[Device] arp source-mac threshold 30

# Set the lifetime to 60 seconds for ARP attack entries.

[Device] arp source-mac aging-time 60

# Exclude MAC address 0012-3f86-e94c from this detection.

[Device] arp source-mac exclude-mac 0012-3f86-e94c

Configuring ARP packet source MAC consistency check

This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.

To enable ARP packet source MAC address consistency check:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable ARP packet source MAC address consistency check.

arp valid-check enable

By default, ARP packet source MAC address consistency check is disabled.

 

Configuring ARP active acknowledgement

Configure this feature on gateways to prevent user spoofing.

ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.

In strict mode, a gateway performs more strict validity checks before creating an ARP entry:

·           Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but does not create an ARP entry.

·           Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP address:

¡  If yes, the gateway performs active acknowledgement. When the ARP reply is verified as valid, the gateway creates an ARP entry.

¡  If no, the gateway discards the packet.

To configure ARP active acknowledgement:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable the ARP active acknowledgement feature.

arp active-ack [ strict ] enable

By default, this feature is disabled.

 

Configuring authorized ARP

Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide.

With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries. This feature prevents user spoofing and allows only authorized clients to access network resources.

Configuration procedure

To enable authorized ARP:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter VLAN interface view.

interface interface-type interface-number

N/A

3.      Enable authorized ARP on the interface.

arp authorized enable

By default, authorized ARP is disabled.

 

Configuring ARP attack detection

ARP attack detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP attack detection does not check ARP packets received from ARP trusted ports.

ARP attack detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding features.

If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies.

Configuring user validity check

The device checks user validity upon receiving an ARP packet from an ARP untrusted interface as follows:

1.      Uses the user validity check rules to match the sender IP and MAC addresses of the ARP packet.

¡  If a match is found, the device processes the ARP packet according to the rule.

¡  If no match is found, proceeds to step 2.

2.      Uses static IP source guard bindings and DHCP snooping entries to match the sender IP and MAC addresses of the ARP packet.

¡  If a match is found, the device forwards the ARP packet.

¡  If no match is found, the device discards the ARP packet.

Static IP source guard bindings are created by using the ip source binding command. For more information, see "Configuring IP source guard."

DHCP snooping entries are automatically generated by DHCP snooping. For more information, see Layer 3—IP Services Configuration Guide.

Configuration guidelines

You must specify a VLAN for an IP source guard binding. Otherwise, no ARP packets can match the IP source guard binding.

Configuration procedure

To configure user validity check:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      (Optional.) Configure a user validity check rule.

arp detection rule rule-id { deny | permit } ip { any | ip-address [ ip-address-mask ] } mac { any | mac-address [ mac-address-mask ] } [ vlan vlan-id ]

By default, no user validity check rule is configured.

3.      Enter VLAN view.

vlan vlan-id

N/A

4.      Enable ARP attack detection.

arp detection enable

By default, ARP attack detection is disabled.

5.      Return to system view.

quit

N/A

6.      Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.

interface interface-type interface-number

N/A

7.      (Optional.) Configure the interface as a trusted interface excluded from ARP attack detection.

arp detection trust

By default, an interface is untrusted.

 

Configuring ARP packet validity check

Enable validity check for ARP packets received on untrusted ports and specify the following objects to be checked:

·           src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.

·           dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

·           ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one, or multicast IP addresses are considered invalid and the corresponding packets are discarded.

To configure ARP packet validity check:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter VLAN view.

vlan vlan-id

N/A

3.      Enable ARP attack detection.

arp detection enable

By default, ARP attack detection is disabled.

4.      Return to system view.

quit

N/A

5.      Enable ARP packet validity check and specify the objects to be checked.

arp detection validate { dst-mac | ip | src-mac } *

By default, ARP packet validity check is disabled.

6.      Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.

interface interface-type interface-number

N/A

7.      (Optional.) Configure the interface as a trusted interface excluded from ARP attack detection.

arp detection trust

By default, an interface is untrusted.

 

Configuring ARP restricted forwarding

 

NOTE:

ARP restricted forwarding does not apply to ARP packets with multiport MAC as their destination MAC addresses.

 

ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted interfaces and have passed user validity check as follows:

·           If the packets are ARP requests, they are forwarded through the trusted interface.

·           If the packets are ARP replies, they are forwarded according to their destination MAC address. If no match is found in the MAC address table, they are forwarded through the trusted interface.

Configure user validity check before you configure ARP restricted forwarding.

To enable ARP restricted forwarding:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter VLAN view.

vlan vlan-id

N/A

3.      Enable ARP restricted forwarding.

arp restricted-forwarding enable

By default, ARP restricted forwarding is disabled.

 

Enabling ARP attack detection logging

The ARP attack detection logging feature enables a device to generate ARP attack detection log messages when illegal ARP packets are detected. An ARP attack detection log message contains the following information:

·           Receiving interface of the ARP packets.

·           Sender IP address.

·           Total number of dropped ARP packets.

To enable ARP attack detection logging:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enable ARP attack detection logging.

arp detection log enable

By default, ARP attack detection logging is disabled.

 

Displaying and maintaining ARP attack detection

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display the VLANs enabled with ARP attack detection.

display arp detection

Display the ARP attack detection statistics.

display arp detection statistics [ interface interface-type interface-number ]

Clear the ARP attack detection statistics.

reset arp detection statistics [ interface interface-type interface-number ]

 

User validity check and ARP packet validity check configuration example

Network requirements

As shown in Figure 3, configure DHCP snooping on Switch B, and enable ARP attack detection in VLAN 10. Switch B performs ARP packet validity check and user validity check based on static IP source guard bindings and DHCP snooping entries for connected hosts.

Figure 3 Network diagram

 

Configuration procedure

1.      Add all interfaces on Switch B to VLAN 10, and specify the IP address of VLAN-interface 10 on Switch A. (Details not shown.)

2.      Configure the DHCP server on Switch A, and configure DHCP address pool 0.

<SwitchA> system-view

[SwitchA] dhcp enable

[SwitchA] dhcp server ip-pool 0

[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

3.      Configure Host A (DHCP client) and Host B. (Details not shown.)

4.      Configure Switch B:

# Enable DHCP snooping.

<SwitchB> system-view

[SwitchB] dhcp snooping enable

[SwitchB] interface ten-gigabitethernet 1/0/3

[SwitchB-Ten-GigabitEthernet1/0/3] dhcp snooping trust

[SwitchB-Ten-GigabitEthernet1/0/3] quit

# Enable recording of client information in DHCP snooping entries on Ten-GigabitEthernet 1/0/1.

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] dhcp snooping binding record

[SwitchB-Ten-GigabitEthernet1/0/1] quit

# Enable ARP attack detection for VLAN 10.

[SwitchB] vlan 10

[SwitchB-vlan10] arp detection enable

# Configure the upstream interface as a trusted interface. By default, an interface is an untrusted interface.

[SwitchB-vlan10] interface ten-gigabitethernet 1/0/3

[SwitchB-Ten-GigabitEthernet1/0/3] arp detection trust

[SwitchB-Ten-GigabitEthernet1/0/3] quit

# Configure a static IP source guard binding on interface Ten-GigabitEthernet 1/0/2 for user validity check.

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10

[SwitchB-Ten-GigabitEthernet1/0/2] quit

# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

[SwitchB] arp detection validate dst-mac ip src-mac

After the configurations are completed, Switch B first checks the validity of ARP packets received on Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2. If the ARP packets are confirmed as valid, the switch performs user validity check by using the static IP source guard bindings and finally DHCP snooping entries.

ARP restricted forwarding configuration example

Network requirements

As shown in Figure 4, configure ARP restricted forwarding on Switch B where ARP attack detection is configured. Port isolation configured on Switch B can take effect for broadcast ARP requests.

Figure 4 Network diagram

 

Configuration procedure

1.      Configure VLAN 10, add interfaces to VLAN 10, and specify the IP address of the VLAN interface. (Details not shown.)

2.      Configure the DHCP server on Switch A, and configure DHCP address pool 0.

<SwitchA> system-view

[SwitchA] dhcp enable

[SwitchA] dhcp server ip-pool 0

[SwitchA-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0

3.      Configure Host A (DHCP client) and Host B. (Details not shown.)

4.      Configure Switch B:

# Enable DHCP snooping, and configure Ten-GigabitEthernet 1/0/3 as a DHCP-trusted port.

<SwitchB> system-view

[SwitchB] dhcp snooping enable

[SwitchB] interface ten-gigabitethernet 1/0/3

[SwitchB-Ten-GigabitEthernet1/0/3] dhcp snooping trust

[SwitchB-Ten-GigabitEthernet1/0/3] quit

# Enable ARP attack detection for user validity check.

[SwitchB] vlan 10

[SwitchB-vlan10] arp detection enable

# Configure Ten-GigabitEthernet 1/0/3 as an ARP-trusted port.

[SwitchB-vlan10] interface ten-gigabitethernet 1/0/3

[SwitchB-Ten-GigabitEthernet1/0/3] arp detection trust

[SwitchB-Ten-GigabitEthernet1/0/3] quit

# Configure a static IP source guard entry on interface Ten-GigabitEthernet 1/0/2.

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] ip source binding ip-address 10.1.1.6 mac-address 0001-0203-0607 vlan 10

[SwitchB-Ten-GigabitEthernet1/0/2] quit

# Enable ARP packet validity check by checking the MAC addresses and IP addresses of ARP packets.

[SwitchB] arp detection validate dst-mac ip src-mac

# Configure port isolation.

[SwitchB] port-isolate group 1

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] port-isolate enable group 1

[SwitchB-Ten-GigabitEthernet1/0/1] quit

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] port-isolate enable group 1

[SwitchB-Ten-GigabitEthernet1/0/2] quit

After the configurations are completed, Switch B first checks the validity of ARP packets received on interfaces Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2. If the ARP packets are confirmed as valid,  the switch performs user validity check by using the static IP source guard bindings and DHCP snooping entries. However, ARP broadcast requests sent from Host A can pass the check on Switch B and reach Host B. Port isolation fails.

# Enable ARP restricted forwarding.

[SwitchB] vlan 10

[SwitchB-vlan10] arp restricted-forwarding enable

[SwitchB-vlan10] quit

After the configuration is completed, Switch B forwards ARP broadcast requests from Host A to Switch A through the trusted interface Ten-GigabitEthernet 1/0/3. Host B cannot receive such packets. Port isolation works correctly.

Configuring ARP scanning and fixed ARP

ARP scanning is typically used together with the fixed ARP feature in small-scale networks.

ARP scanning automatically creates ARP entries for devices in an address range. The device performs ARP scanning in the following steps:

1.      Sends ARP requests for each IP address in the address range.

2.      Obtains their MAC addresses through received ARP replies.

3.      Creates dynamic ARP entries.

Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning) to static ARP entries. This feature prevents ARP entries from being modified by attackers. Static ARP entries can also be manually configured by the arp static command.

Configuration restrictions and guidelines

When you configure ARP scanning and fixed ARP, follow these restrictions and guidelines:

·           IP addresses in existing ARP entries are not scanned.

·           ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

·           The arp fixup command is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.

·           Due to the limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.

·           To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. Use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries.

Configuration procedure

To configure ARP scanning and fixed ARP:

 

Step

Command

1.      Enter system view.

system-view

2.      Enter VLAN interface view.

interface interface-type interface-number

3.      Trigger an ARP scanning.

arp scan [ start-ip-address to end-ip-address ]

4.      Return to system view.

quit

5.      Enable fixed ARP.

arp fixup

 

Configuring ARP gateway protection

Configure this feature on interfaces not connected to a gateway to prevent gateway spoofing attacks.

When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet correctly.

Configuration guidelines

Follow these guidelines when you configure ARP gateway protection:

·           You can enable ARP gateway protection for a maximum of eight gateways on an interface.

·           Do not configure both the arp filter source and arp filter binding commands on an interface.

·           If ARP gateway protection works with ARP attack detection, MFF, ARP fast-reply, and ARP snooping, ARP gateway protection applies first.

Configuration procedure

To configure ARP gateway protection:

 

Step

Command

Remarks

 

1.      Enter system view.

system-view

N/A

2.      Enter Layer 2 Ethernet interface and Layer 2 aggregate interface view.

interface interface-type interface-number

N/A.

3.      Enable ARP gateway protection for the specified gateway.

arp filter source ip-address

By default, ARP gateway protection is disabled.

 

Configuration example

Network requirements

As shown in Figure 5, Host B launches gateway spoofing attacks to Switch B. As a result, traffic that Switch B intends to send to Switch A is sent to Host B.

Configure Switch B to block such attacks.

Figure 5 Network diagram

 

Configuration procedure

# Configure ARP gateway protection on Switch B.

<SwitchB> system-view

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] arp filter source 10.1.1.1

[SwitchB-Ten-GigabitEthernet1/0/1] quit

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] arp filter source 10.1.1.1

Verifying the configuration

# Verify that Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway.

Configuring ARP filtering

The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.

An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded.

Configuration guidelines

Follow these guidelines when you configure ARP filtering:

·           You can configure a maximum of eight permitted entries on an interface.

·           Do not configure both the arp filter source and arp filter binding commands on an interface.

·           If ARP filtering works with ARP attack detection, MFF, ARP fast-reply, and ARP snooping, ARP filtering applies first.

Configuration procedure

To configure ARP filtering:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.

interface interface-type interface-number

N/A.

3.      Enable ARP filtering and configure a permitted entry.

arp filter binding ip-address mac-address

By default, ARP filtering is disabled.

 

Configuration example

Network requirements

As shown in Figure 6, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233, respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234, respectively.

Configure ARP filtering on Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 of Switch B to permit ARP packets from only Host A and Host B.

Figure 6 Network diagram

 

Configuration procedure

# Configure ARP filtering on Switch B.

<SwitchB> system-view

[SwitchB] interface ten-gigabitethernet 1/0/1

[SwitchB-Ten-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233

[SwitchB-Ten-GigabitEthernet1/0/1] quit

[SwitchB] interface ten-gigabitethernet 1/0/2

[SwitchB-Ten-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234

Verifying the configuration

# Verify that Ten-GigabitEthernet 1/0/1 permits ARP packets from Host A and discards other ARP packets.

# Verify that Ten-GigabitEthernet 1/0/2 permits ARP packets from Host B and discards other ARP packets.

Configuring ARP sender IP address checking

This feature allows a gateway to check the sender IP address of an ARP packet in a VLAN before ARP learning. If the sender IP address is within the allowed IP address range, the gateway continues ARP learning. If the sender IP address is out of the range, the gateway determines the ARP packet as an attack packet and discards it.

If Layer 3 communication is configured between the secondary VLANs associated with a primary VLAN, configure this feature in the primary VLAN. If Layer 3 communication is not configured between the secondary VLANs associated with a primary VLAN, configure this feature in the intended VLAN.

To configure the ARP sender IP address checking feature:

 

Step

Command

Remarks

1.      Enter system view.

system-view

N/A

2.      Enter VLAN view.

vlan vlan-id

N/A

3.      Enable the ARP sender IP address checking feature and specify the IP address range.

arp sender-ip-range start-ip-address end-ip-address

By default, the ARP sender IP address checking feature is disabled.