- Table of Contents
-
- H3C Low-End Ethernet Switches Configuration Guide(V1.01)
- 01-Login Configuration Guide
- 02-VLAN Configuration Guide
- 03-IP Address Configuration Guide
- 04-Voice VLAN Configuration Guide
- 05-GVRP Configuration Guide
- 06-Ethernet Interface Basic Configuration Guide
- 07-Link Aggregation Configuration Guide
- 08-Port Isolation Configuration Guide
- 09-Port Security Configuration Guide
- 10-Port Binding Configuration Guide
- 11-MAC Address Table Management Configuration Guide
- 12-DLDP Configuration Guide
- 13-Auto Detect Configuration Guide
- 14-MSTP Configuration Guide
- 15-Routing Configuration Guide
- 16-Multicast Configuration Guide
- 17-802.1x Configuration Guide
- 18-AAA Configuration Guide
- 19-MAC Authentication Configuration Guide
- 20-VRRP Configuration Guide
- 21-ARP Configuration Guide
- 22-DHCP Configuration Guide
- 23-ACL Configuration Guide
- 24-QoS-QoS Profile Configuration Guide
- 25-Web Cache Redirection Configuration Guide
- 26-Mirroring Configuration Guide
- 27-IRF Configuration Guide
- 28-Cluster Configuration Guide
- 29-PoE-PoE Profile Configuration Guide
- 30-UDP Helper Configuration Guide
- 31-SNMP-RMON Configuration Guide
- 32-NTP Configuration Guide
- 33-SSH Configuration Guide
- 34-FTP and TFTP Configuration Guide
- 35-Information Center Configuration Guide
- 36-VLAN-VPN Configuration Guide
- 37-HWPing Configuration Guide
- 38-DNS Configuration Guide
- 39-Access Management Configuration Guide
- 40-Web Authentication Configuration Guide
- 41-IPv6 Management Configuration Guide
- 42-Smart link - Monitor Link Configuration Guide
- 43-VLAN Mapping Configuration Guide
- Related Documents
-
Title | Size | Download |
---|---|---|
21-ARP Configuration Guide | 82.74 KB |
ARP Attack Detection and Packet Rate Limit Configuration Example
Networking and Configuration Requirements
Proxy ARP Configuration Example
Proxy ARP Configuration in Port Isolation Application
ARP Attack Detection and Packet Rate Limit Configuration Example
Network Diagram
Figure 1-1 ARP attack detection and packet rate limit configuration
Networking and Configuration Requirements
As shown in Figure 1-1, Ethernet 1/0/1 of Switch A connects to DHCP Server; Ethernet 1/0/2 connects to Client A, Ethernet 1/0/3 connects to Client B. Ethernet 1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3 belong to VLAN 1.
l Enable DHCP snooping on Switch A and specify Ethernet 1/0/1 as the DHCP snooping trusted port.
l Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks, and specify Ethernet 1/0/1 as the ARP trusted port.
l Enable the ARP packet rate limit function on Ethernet 1/0/2 and Ethernet 1/0/3 of Switch A, so as to prevent Client A and Client B from attacking Switch A through ARP traffic.
l Enable the port state auto recovery function on the ports of Switch A, and set the recovery interval to 200 seconds.
l Configuration Procedure
Applicable Product Matrix
Product series |
Software version |
Hardware version |
S5600 series Ethernet switches |
Release 1602 |
All versions |
S3600-SI/EI series Ethernet switches |
Release 1602 |
All versions |
S3100-EI series Ethernet switches |
Release 2104, Release 2107 |
All versions |
S3100-52P |
Release 1602 |
S3100-52P |
Configuration procedure
# Enable DHCP snooping on Switch A.
<SwitchA> system-view
[SwitchA] dhcp-snooping
# Specify Ethernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port.
[SwitchA] interface Ethernet1/0/1
[SwitchA-Ethernet1/0/1] dhcp-snooping trust
[SwitchA-Ethernet1/0/1] arp detection trust
[SwitchA-Ethernet1/0/1] quit
# Enable ARP attack detection on all ports in VLAN 1.
[SwitchA] vlan 1
[SwitchA-vlan1] arp detection enable
# Enable the ARP packet rate limit function on Ethernet 1/0/2, and set the maximum ARP packet rate allowed on the port to 20 pps.
[SwitchA] interface Ethernet1/0/2
[SwitchA-Ethernet1/0/2] arp rate-limit enable
[SwitchA-Ethernet1/0/2] arp rate-limit 20
[SwitchA-Ethernet1/0/2] quit
# Enable the ARP packet rate limit function on Ethernet 1/0/3, and set the maximum ARP packet rate allowed on the port to 50 pps.
[SwitchA] interface Ethernet1/0/3
[SwitchA-Ethernet1/0/3] arp rate-limit enable
[SwitchA-Ethernet1/0/3] arp rate-limit 50
[SwitchA-Ethernet1/0/3] quit
# Configure the port state auto recovery function, and set the recovery interval to 200 seconds.
[SwitchA] arp protective-down recover enable
[SwitchA] arp protective-down recover interval 200
Complete Configuration
#
arp protective-down recover enable
arp protective-down recover interval 200
#
vlan 1
arp detection enable
#
interface Ethernet1/0/1
dhcp-snooping trust
arp detection trust
#
interface Ethernet1/0/2
arp rate-limit enable
arp rate-limit 20
#
interface Ethernet1/0/3
arp rate-limit enable
arp rate-limit 50
#
dhcp-snooping
#
Precautions
l You need to enable DHCP snooping and configure DHCP snooping trusted ports on the switch before configuring the ARP attack detection function.
l You need to enable the port state auto-recovery feature before you can configure the port state auto-recovery interval.
l Generally, the uplink port of a switch is configured as a trusted port.
l You are not recommended to configure ARP attack detection or ARP packet rate limit function on the ports of a fabric or an aggregation group.
Proxy ARP Configuration Example
Network diagram
Figure 1-2 Network diagram for proxy ARP
Network requirements
l Host A belongs to VLAN 1, and the IP address of Host A is 192.168.10.100/16, Host D belongs to VLAN 2, and the IP address of Host D is 192.168.20.100/16.
l The IP address of VLAN-interface 1 is 192.168.10.99/24, and that of VLAN-interface 2 is 192.168.20.99/24.
Applicable Product Matrix
Product series |
Software version |
Hardware version |
S5600 series Ethernet switches |
Release 1602 |
All versions |
S3600-SI/EI series Ethernet switches |
Release 1602 |
All versions |
Configuration procedure
# Configure the IP address of VLAN-interface 1 to be 192.168.10.99/24, and enable proxy ARP on VLAN-interface 1.
<Switch> system-view
[Switch] interface vlan-interface 1
[Switch-Vlan-interface1] ip address 192.168.10.99 255.255.255.0
[Switch-Vlan-interface1] arp proxy enable
[Switch-Vlan-interface1] quit
# Configure the IP address of VLAN-interface 2 to be 192.168.20.99/24, and enable proxy ARP on VLAN-interface 2.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.20.99 255.255.255.0
[Switch-Vlan-interface2] arp proxy enable
[Switch-Vlan-interface2] quit
Complete Configuration
#
interface Vlan-interface1
arp proxy enable
ip address 192.168.10.99 255.255.255.0
#
interface Vlan-interface2
arp proxy enable
ip address 192.168.20.99 255.255.255.0
#
Precautions
None
Proxy ARP Configuration in Port Isolation Application
Network diagram
Figure 1-3 Network diagram for Proxy ARP configuration in port isolation application
Network requirements
l Switch A is connected to Switch B through Ethernet 1/0/1.
l Ethernet 1/0/2 and Ethernet 1/0/3 on Switch B belong to the same VLAN but are assigned to the port isolation group. The two ports are connected to Host A and Host B respectively.
l Configure proxy ARP on Switch A to enable Host A and Host B isolated at Layer 2 to communicate with each other at Layer 3.
Applicable Product Matrix
Product series |
Software version |
Hardware version |
S5600 series Ethernet switches |
Release 1602 |
All versions |
S3600-SI/EI series Ethernet switches |
Release 1602 |
All versions |
Configuration procedure
1) Configure Switch B
# Add Ethernet 1/0/1, Ethernet 1/0/2 and Ethernet 1/0/3 to VLAN 2.
<SwitchB> system-view
[SwitchB] vlan 2
[SwitchB-vlan2] port ethernet 1/0/1
[SwitchB-vlan2] port ethernet 1/0/2
[SwitchB-vlan2] port ethernet 1/0/3
[SwitchB-vlan2] quit
# Disable Host A and Host B from communicating with each other at Layer 2.
For details about port isolation, refer to the part discussing port isolation.
[SwitchB] interface ethernet 1/0/2
[SwitchB-Ethernet1/0/2] port isolate
[SwitchB-Ethernet1/0/2] quit
[SwitchB] interface ethernet 1/0/3
[SwitchB-Ethernet1/0/3] port isolate
[SwitchB-Ethernet1/0/3] quit
2) Configure Switch A
# Configure the IP address of VLAN-interface 2 to be 192.168.10.100/24.
[SwitchA] vlan 2
[SwitchA-vlan2] port ethernet 1/0/1
[SwitchA-vlan2] quit
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.10.100 255.255.0.0
# Configure proxy ARP on VLAN-interface 2, enabling Host A and Host B to communicate at Layer 3.
[SwitchA-Vlan-interface2] arp proxy enable
[SwitchA-Vlan-interface2] quit
Complete Configuration
1) Configuration on Switch B
#
vlan 2
#
interface Ethernet1/0/1
port access vlan 2
#
interface Ethernet1/0/2
port access vlan 2
port isolate
#
interface Ethernet1/0/3
port access vlan 2
port isolate
#
2) Configuration on Switch A
#
vlan 2
#
interface Vlan-interface2
arp proxy enable
ip address 192.168.10.100 255.255.0.0
#
interface Ethernet1/0/1
port access vlan 2
#
Precautions
For details about port isolation, refer to the part discussing port isolation.