Login
- Table of Contents
-
- H3C WX3000 Series Unified Switches Switching Engine Configuration Guide-6W103
- 00-Preface
- 01-CLI Configuration
- 02-Login Configuration
- 03-Configuration File Management Configuration
- 04-VLAN Configuration
- 05-Auto Detect Configuration
- 06-Voice VLAN Configuration
- 07-GVRP Configuration
- 08-Basic Port Configuration
- 09-Link Aggregation Configuration
- 10-Port Isolation Configuration
- 11-Port Security-Port Binding Configuration
- 12-DLDP Configuration
- 13-MAC Address Table Management Configuration
- 14-MSTP Configuration
- 15-802.1x and System Guard Configuration
- 16-AAA Configuration
- 17-MAC Address Authentication Configuration
- 18-IP Address and Performance Configuration
- 19-DHCP Configuration
- 20-ACL Configuration
- 21-QoS-QoS Profile Configuration
- 22-Mirroring Configuration
- 23-ARP Configuration
- 24-SNMP-RMON Configuration
- 25-Multicast Configuration
- 26-NTP Configuration
- 27-SSH Configuration
- 28-File System Management Configuration
- 29-FTP-SFTP-TFTP Configuration
- 30-Information Center Configuration
- 31-System Maintenance and Debugging Configuration
- 32-VLAN-VPN Configuration
- 33-HWPing Configuration
- 34-DNS Configuration
- 35-Smart Link-Monitor Link Configuration
- 36-PoE-PoE Profile Configuration
- 37-Routing Protocol Configuration
- 38-UDP Helper Configuration
- 39-Acronyms
- 40-Index
| Title | Size | Download |
|---|---|---|
| 23-ARP Configuration | 93.68 KB |
Table of Contents
Introduction to ARP Attack Detection
Introduction to Gratuitous ARP
Configuring ARP Basic Functions
Configuring ARP Attack Detection
Displaying and Maintaining ARP
ARP Basic Configuration Example
ARP Attack Detection Configuration Example
l The term switch used throughout this chapter refers to a switching device in a generic sense or the switching engine of the WX3000 series.
l The sample output information in this manual was created on the WX3024. The output information on your device may vary.
Introduction to ARP
ARP Function
Address Resolution Protocol (ARP) is used to resolve an IP address into a data link layer address.
An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the data link layer address (MAC address, for example) of the destination host or the next hop. To this end, the IP address must be resolved into the corresponding data link layer address.
Unless otherwise stated, a data link layer address in this chapter refers to a 48-bit Ethernet MAC address.
ARP Message Format
ARP messages are classified as ARP request messages and ARP reply messages. Figure 1-1 illustrates the format of these two types of ARP messages.
l As for an ARP request, all the fields except the hardware address of the receiver field are set. The hardware address of the receiver is what the sender requests for.
l As for an ARP reply, all the fields are set.
Figure 1-1 ARP message format
Table 1-1 describes the fields of an ARP packet.
Table 1-1 Description on the fields of an ARP packet
|
Field |
Description |
|
Hardware Type |
Type of the hardware interface. Refer to Table 1-2 for the information about the field values. |
|
Protocol type |
Type of protocol address to be mapped. 0x0800 indicates an IP address. |
|
Length of hardware address |
Hardware address length (in bytes) |
|
Length of protocol address |
Protocol address length (in bytes) |
|
Operator |
Indicates the type of a data packets, which can be: l 1: ARP request packets l 2: ARP reply packets l 3: RARP request packets l 4: RARP reply packets |
|
Hardware address of the sender |
Hardware address of the sender |
|
IP address of the sender |
IP address of the sender |
|
Hardware address of the receiver |
l For an ARP request packet, this field is null. l For an ARP reply packet, this field carries the hardware address of the receiver. |
|
IP address of the receiver |
IP address of the receiver |
Table 1-2 Description on the values of the hardware type field
|
Value |
Description |
|
1 |
Ethernet |
|
2 |
Experimental Ethernet |
|
3 |
X.25 |
|
4 |
Proteon ProNET (Token Ring) |
|
5 |
Chaos |
|
6 |
IEEE802.X |
|
7 |
ARC network |
ARP Table
In an Ethernet, the MAC addresses of two hosts must be available for the two hosts to communicate with each other. Each host in an Ethernet maintains an ARP table, where the latest used IP address-to-MAC address mapping entries are stored. The device provides the display arp command to display the information about ARP mapping entries.
ARP entries in a device can either be static entries or dynamic entries, as described in Table 1-3.
|
ARP entry |
Generation Method |
Maintenance Mode |
|
Static ARP entry |
Manually configured |
Manual maintenance |
|
Dynamic ARP entry |
Dynamically generated |
ARP entries of this type age with time. The aging period is set by the ARP aging timer. |
ARP Process
Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B. The resolution process is as follows:
1) Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.
2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request, in which the source IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all-zero MAC address. Because the ARP request is sent in broadcast mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request.
3) Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.
4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out.
Usually ARP dynamically implements and automatically seeks mappings from IP addresses to MAC addresses, without manual intervention.
Introduction to ARP Attack Detection
Man-in-the-middle attack
According to the ARP design, after receiving an ARP response, a host adds the IP-to-MAC mapping of the sender into its ARP mapping table even if the MAC address is not the real one. This can reduce the ARP traffic in the network, but it also makes ARP spoofing possible.
In Figure 1-3, Host A communicates with Host C through Switch. To intercept the traffic between Host A and Host C, the hacker (Host B) forwards invalid ARP reply messages to Host A and Host C respectively, causing the two hosts to update the MAC address corresponding to the peer IP address in their ARP tables with the MAC address of Host B. Then, the traffic between Host A and C will pass through Host B which acts like a “man-in-the-middle” that may intercept and modify the communication information. Such attack is called man-in-the-middle attack.
Figure 1-3 Network diagram for ARP man-in-the-middle attack
ARP attack detection
To guard against the man-in-the-middle attacks launched by hackers or attackers, the device supports the ARP attack detection function. All ARP (both request and response) packets passing through the device are redirected to the CPU, which checks the validity of all the ARP packets by using the DHCP snooping table or the manually configured IP binding table. For description of DHCP snooping table and the manually configured IP binding table, refer to DHCP snooping section in DHCP in H3C WX3000 Series Unified Switches Switching Engine Configuration Guide.
After you enable the ARP attack detection function, the device will check the following items of an ARP packet: the source MAC address, source IP address, port number of the port receiving the ARP packet, and the ID of the VLAN the port resides. If these items match the entries of the DHCP snooping table or the manual configured IP binding table, the device will forward the ARP packet; if not, the device discards the ARP packet.
l With trusted ports configured, ARP packets coming from the trusted ports will not be checked, while those from other ports will be checked through the DHCP snooping table or the manually configured IP binding table.
l With the ARP restricted forwarding function enabled, ARP request packets are forwarded through trusted ports only; ARP response packets are forwarded according to the MAC addresses in the packets, or through trusted ports if the MAC address table contains no such destination MAC addresses.
Introduction to Gratuitous ARP
The following are the characteristics of gratuitous ARP packets:
l Both source and destination IP addresses carried in a gratuitous ARP packet are the local addresses, and the source MAC address carried in it is the local MAC addresses.
l If a device finds that the IP addresses carried in a received gratuitous packet conflict with those of its own, it returns an ARP response to the sending device to notify of the IP address conflict.
By sending gratuitous ARP packets, a network device can:
l Determine whether or not IP address conflicts exist between it and other network devices.
l Trigger other network devices to update its hardware address stored in their caches.
The gratuitous ARP packet learning function:
When the gratuitous ARP packet learning function is enabled on a device and the device receives a gratuitous ARP packet, the device updates the existing ARP entry (contained in the cache of the device) that matches the received gratuitous ARP packet using the hardware address of the sender carried in the gratuitous ARP packet.
Configuring ARP
Configuring ARP Basic Functions
Follow these steps to configure ARP basic functions:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Add a static ARP entry |
arp static ip-address mac-address [ vlan-id interface-type interface-number ] |
Optional By default, the ARP mapping table is empty, and the address mapping entries are created dynamically by ARP. |
|
Configure the ARP aging timer |
arp timer aging aging-time |
Optional By default, the ARP aging timer is set to 20 minutes. |
|
Enable the ARP entry checking function (that is, disable the device from learning ARP entries with multicast MAC addresses) |
arp check enable |
Optional By default, the ARP entry checking function is enabled. |
l Static ARP entries are valid as long as the device operates normally. But some operations, such as removing a VLAN, or removing a port from a VLAN, will make the corresponding ARP entries invalid and therefore removed automatically.
l As for the arp static command, the value of the vlan-id argument must be the ID of an existing VLAN, and the port identified by the interface-type and interface-number arguments must belong to the VLAN.
l Currently, static ARP entries cannot be configured on the ports of an aggregation group.
Configuring ARP Attack Detection
Follow these steps to configure the ARP attack detection function:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable DHCP snooping |
dhcp-snooping |
Required By default, the DHCP snooping function is disabled. |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Specify the current port as a trusted port |
dhcp-snooping trust |
Required By default, after DHCP snooping is enabled, all ports of a device are untrusted ports. |
|
Quit to system view |
quit |
— |
|
Enter VLAN view |
vlan vlan-id |
— |
|
Enable the ARP attack detection function |
arp detection enable |
Required By default, ARP attack detection is disabled on all ports. |
|
Quit to system view |
quit |
— |
|
Enter Ethernet port view |
interface interface-type interface-number |
— |
|
Configure the port as an ARP trusted port |
arp detection trust |
Optional By default, a port is an untrusted port. |
|
Quit to system view |
quit |
— |
|
Enter VLAN view |
vlan vlan-id |
— |
|
Enable ARP restricted forwarding |
arp restricted-forwarding enable |
Optional By default, the ARP restricted forwarding function is disabled. The device forwards legal ARP packets through all its ports. |
l You need to enable DHCP snooping and configure DHCP snooping trusted ports on the device before configuring the ARP attack detection function. For more information about DHCP snooping, refer to the DHCP snooping section in DHCP in H3C WX3000 Series Unified Switches Switching Engine Configuration Guide.
l Generally, the uplink port of a device is configured as a trusted port.
l Before enabling ARP restricted forwarding, make sure you enable ARP attack detection and configure ARP trusted ports.
l You are not recommended to configure ARP attack detection on the ports of an aggregation group.
Configuring Gratuitous ARP
Follow these steps to configure the gratuitous ARP:
|
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
Enable the gratuitous ARP packet learning function |
gratuitous-arp-learning enable |
Optional By default, the gratuitous ARP packet learning function is enabled. |
The sending of gratuitous ARP packets is enabled as long as a device operates. No command is needed for enabling this function. That is, the device sends gratuitous ARP packets whenever a VLAN interface is enabled (such as when a link is enabled or an IP address is configured for the VLAN interface) or whenever the IP address of a VLAN interface is changed.
Displaying and Maintaining ARP
|
To do… |
Use the command… |
Remarks |
|
Display specific ARP mapping table entries |
display arp [ static | dynamic | ip-address ] |
Available in any view |
|
Display the ARP mapping entries related to a specified string in a specified way |
display arp [ dynamic | static ] | { begin | include | exclude } text |
|
|
Display the number of the ARP entries of a specified type |
display arp count [ [ dynamic | static ] [ | { begin | include | exclude } text ] | ip-address ] |
|
|
Display the statistics about the untrusted ARP packets dropped by the specified port |
display arp detection statistics interface interface-type interface-number |
|
|
Display the setting of the ARP aging timer |
display arp timer aging |
|
|
Clear specific ARP entries |
reset arp [ dynamic | static | interface interface-type interface-number ] |
Available in user view |
ARP Configuration Example
ARP Basic Configuration Example
Network requirement
l Disable ARP entry check on the device.
l Set the aging time for dynamic ARP entries to 10 minutes.
l Add a static ARP entry, with the IP address being 192.168.1.1, the MAC address being 000f-e201-0000, and the outbound port being GigabitEthernet 1/0/10 of VLAN 1.
Configuration procedure
<device> system-view
[device] undo arp check enable
[device] arp timer aging 10
[device] arp static 192.168.1.1 000f-e201-0000 1 gigabitethernet 1/0/10
ARP Attack Detection Configuration Example
Network requirements
As shown in Figure 1-4, GigabitEthernet 1/0/1 of Switch A connects to DHCP Server; GigabitEthernet 1/0/2 connects to Client A, GigabitEthernet 1/0/3 connects to Client B. GigabitEthernet 1/0/1, GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 belong to VLAN 1.
l Enable DHCP snooping on Switch A and specify GigabitEthernet 1/0/1 as the DHCP snooping trusted port.
l Enable ARP attack detection in VLAN 1 to prevent ARP man-in-the-middle attacks, and specify GigabitEthernet 1/0/1 as the ARP trusted port.
Figure 1-4 ARP attack detection configuration
Configuration procedure
# Enable DHCP snooping on Switch A.
<SwitchA> system-view
[SwitchA] dhcp-snooping
# Specify GigabitEthernet 1/0/1 as the DHCP snooping trusted port and the ARP trusted port.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] dhcp-snooping trust
[SwitchA-GigabitEthernet1/0/1] arp detection trust
[SwitchA-GigabitEthernet1/0/1] quit
# Enable ARP attack detection on all ports in VLAN 1.
[SwitchA] vlan 1
[SwitchA-vlan1] arp detection enable
