Login
- Table of Contents
-
- 10-Security
- 00-Preface
- 01-AAA configuration
- 02-802.1X configuration
- 03-802.1X client configuration
- 04-MAC authentication configuration
- 05-Portal configuration
- 06-User profile configuration
- 07-Password control configuration
- 08-Public key management
- 09-PKI configuration
- 10-IPsec configuration
- 11-SSH configuration
- 12-SSL configuration
- 13-Session management
- 14-Connection limit configuration
- 15-Attack detection and prevention configuration
- 16-IP source guard configuration
- 17-ARP attack protection configuration
- 18-ND attack defense configuration
- 19-User isolation configuration
- 20-ASPF configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 17-ARP attack protection configuration | 243.45 KB |
Contents
Configuring ARP attack protection
Command and hardware compatibility
ARP attack protection configuration task list
Configuring source MAC-based ARP attack detection
Displaying and maintaining source MAC-based ARP attack detection
Configuring ARP packet source MAC consistency check
Configuring ARP active acknowledgement
Configuration example (on a DHCP server)
Configuration example (on a DHCP relay agent)
Configuring ARP attack detection
Configuring user validity check
Configuring ARP packet validity check
Configuring ARP restricted forwarding
Displaying and maintaining ARP attack detection
User validity check configuration example
Configuring ARP scanning and fixed ARP
Configuration restrictions and guidelines
Configuring ARP gateway protection
Configuring ARP attack protection
Overview
ARP attacks and viruses are threatening LAN security. This chapter describes multiple features used to detect and prevent ARP attacks.
Although ARP is easy to implement, it provides no security mechanism and is vulnerable to network attacks. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
· Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
· Sends a large number of unresolvable IP packets to have the receiving device busy with resolving IP addresses until its CPU is overloaded. Unresolvable IP packets refer to IP packets for which ARP cannot find corresponding MAC addresses.
· Sends a large number of ARP packets to overload the CPU of the receiving device.
Command and hardware compatibility
The WX1800H series, WX2500H series, and WX3000H series access controllers do not support the slot keyword or the slot-number argument.
ARP attack protection configuration task list
|
Tasks at a glance |
|
Configuring flood prevention: Configuring source MAC-based ARP attack detection (configured on gateways) |
|
Configuring user and gateway spoofing prevention: · Configuring ARP packet source MAC consistency check (configured on gateways) · Configuring ARP active acknowledgement (configured on gateways) · Configuring authorized ARP (configured on gateways) · Configuring ARP attack detection (configured on access devices) · Configuring ARP scanning and fixed ARP (configured on gateways) · Configuring ARP gateway protection (configured on access devices) · Configuring ARP filtering (configured on access devices) |
Configuring source MAC-based ARP attack detection
This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within 5 seconds exceeds a threshold, the device adds the MAC address to an ARP attack entry. Before the entry ages out, the device handles the attack by using either of the following methods:
· Monitor—Only generates log messages.
· Filter—Generates log messages and filters out subsequent ARP packets from that MAC address.
You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers.
Configuration procedure
To configure source MAC-based ARP attack detection:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable source MAC-based ARP attack detection and specify the handling method. |
arp source-mac { filter | monitor } |
By default, this feature is disabled. When you change the handling method from monitor to filter, the configuration takes effect immediately. When you change the handling method from filter to monitor, the device continues filtering packets that match existing attack entries. |
|
3. Set the threshold. |
arp source-mac threshold threshold-value |
The default threshold for source MAC-based ARP attack detection is 50. |
|
4. Set the aging timer for ARP attack entries. |
arp source-mac aging-time time |
By default, the lifetime is 300 seconds. |
|
5. (Optional.) Exclude specific MAC addresses from this detection. |
arp source-mac exclude-mac mac-address&<1-10> |
By default, no MAC address is excluded. |
|
|
NOTE: When an ARP attack entry is aged out, ARP packets sourced from the MAC address in the entry can be processed correctly. |
Displaying and maintaining source MAC-based ARP attack detection
Execute display commands in any view.
|
Task |
Command |
|
Display ARP attack entries detected by source MAC-based ARP attack detection. |
display arp source-mac { slot slot-number | interface interface-type interface-number } |
Configuration example
Network requirements
As shown in Figure 1, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway.
Figure 1 Network diagram
Configuration considerations
An attacker might forge a large number of ARP packets by using the MAC address of a valid host as the source MAC address. To prevent such attacks, configure the gateway in the following steps:
1. Enable source MAC-based ARP attack detection and specify the handling method as filter.
2. Set the threshold.
3. Set the lifetime for ARP attack entries.
4. Exclude the MAC address of the server from this detection.
Configuration procedure
# Enable source MAC-based ARP attack detection, and specify the handling method as filter.
<AC> system-view
[AC] arp source-mac filter
# Set the threshold to 30.
[AC] arp source-mac threshold 30
# Set the lifetime for ARP attack entries to 60 seconds.
[AC] arp source-mac aging-time 60
# Exclude MAC address 0012-3f86-e94c from this detection.
[AC] arp source-mac exclude-mac 0012-3f86-e94c
Configuring ARP packet source MAC consistency check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.
To enable ARP packet source MAC address consistency check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable ARP packet source MAC address consistency check. |
arp valid-check enable |
By default, ARP packet source MAC address consistency check is disabled. |
Configuring ARP active acknowledgement
Configure this feature on gateways to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
In strict mode, a gateway performs more strict validity checks before creating an ARP entry:
· Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but does not create an ARP entry.
· Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP address:
¡ If yes, the gateway performs active acknowledgement. When the ARP reply is verified as valid, the gateway creates an ARP entry.
¡ If no, the gateway discards the packet.
To configure ARP active acknowledgement:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the ARP active acknowledgement feature. |
arp active-ack [ strict ] enable |
By default, this feature is disabled. |
Configuring authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide.
With authorized ARP enabled, an interface is disabled from learning dynamic ARP entries. This feature prevents user spoofing and allows only authorized clients to access network resources.
Configuration procedure
To enable authorized ARP:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable authorized ARP on the interface. |
arp authorized enable |
By default, authorized ARP is disabled. |
Configuration example (on a DHCP server)
Network requirements
As shown in Figure 2, configure authorized ARP on VLAN-interface 10 of the AC (a DHCP server) to ensure user validity.
Configuration procedure
# Configure DHCP.
<AC> system-view
[AC] dhcp enable
[AC] dhcp server ip-pool 1
[AC-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0
[AC-dhcp-pool-1] quit
# Specify the IP address for VLAN-interface 10.
[AC] interface vlan-interface 10
[AC-Vlan-interface10] ip address 10.1.1.1 24
# Enable authorized ARP.
[AC-Vlan-interface10] arp authorized enable
[AC-Vlan-interface10] quit
Verifying the configuration
# Display authorized ARP entry information on the AC.
[AC] display arp
Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid
IP Address MAC Address VLAN Interface Aging Type
10.1.1.2 0012-3f86-e94c N/A GE1/0/1 20 D
The output shows that IP address 10.1.1.2 has been assigned to the client.
The client must use the IP address and MAC address in the authorized ARP entry to communicate with the AC. Otherwise, the communication fails. Thus user validity is ensured.
Configuration example (on a DHCP relay agent)
Network requirements
As shown in Figure 3, configure authorized ARP on VLAN-interface 20 of the AC (a DHCP relay agent) to ensure user validity.
Configuration procedure
1. Configure the switch:
# Specify the IP address for VLAN-interface 10.
<Switch> system-view
[Switch] interface vlan-interface 10
[Switch-Vlan-interface10] ip address 10.1.1.1 24
[Switch-Vlan-interface10] quit
# Configure DHCP.
[Switch] dhcp enable
[Switch] dhcp server ip-pool 1
[Switch-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0
[Switch-dhcp-pool-1] gateway-list 10.10.1.1
[Switch-dhcp-pool-1] quit
[Switch] ip route-static 10.10.1.0 24 10.1.1.2
2. Configure the AC:
# Enable DHCP.
<AC> system-view
[AC] dhcp enable
# Specify the IP addresses of VLAN-interface 10 and VLAN-interface 20.
[AC] interface vlan-interface 10
[AC-Vlan-interface10] ip address 10.1.1.2 24
[AC-Vlan-interface10] quit
[AC] interface vlan-interface 20
[AC-Vlan-interface20] ip address 10.10.1.1 24
# Enable DHCP relay agent on VLAN-interface 20.
[AC-Vlan-interface20] dhcp select relay
# Add the DHCP server 10.1.1.1 to DHCP server group 1.
[AC-Vlan-interface20] dhcp relay server-address 10.1.1.1
# Enable authorized ARP.
[AC-Vlan-interface20] arp authorized enable
[AC-Vlan-interface20] quit
# Enable recording of relay entries on the relay agent.
[AC] dhcp relay client-information record
Verifying the configuration
# Display authorized ARP information on the AC.
[AC] display arp
Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid
IP Address MAC Address VLAN Interface Aging Type
10.10.1.2 0012-3f86-e94c N/A GE1/0/2 20 D
The output shows that the DHCP server assigned the IP address 10.10.1.2 to the client.
The client must use the IP address and MAC address in the authorized ARP entry to communicate with the AC. Otherwise, the communication fails. Thus the user validity is ensured.
Configuring ARP attack detection
ARP attack detection enables access devices to block ARP packets from unauthorized clients to prevent user spoofing and gateway spoofing attacks. ARP attack detection does not check ARP packets received from ARP trusted interfaces.
ARP attack detection provides the user validity check, ARP packet validity check, and ARP restricted forwarding features.
If both ARP packet validity check and user validity check are enabled, the former one applies first, and then the latter applies.
Configuring user validity check
User validity check compares the sender IP and sender MAC in the received ARP packet with the matching criteria in the following order:
1. User validity check rules.
¡ If a match is found, the device processes the ARP packet according to the rule.
¡ If no match is found or no user validity check rule is configured, proceeds to step 2.
2. 802.1X security entries.
¡ If a match is found, the device forwards the ARP packet.
¡ If no match is found, the device discards the ARP packet.
802.1X security entries record the IP-to-MAC mappings for 802.1X clients. After a client passes 802.1X authentication and uploads its IP address to an ARP attack detection enabled device, the device automatically generates an 802.1X security entry. The 802.1X client must be enabled to upload its IP address to the device. For more information, see "Configuring 802.1X."
Configuration guidelines
Make sure one or more of the following items is configured for user validity check:
· User validity check rules.
· 802.1X.
If none of the items is configured, all incoming ARP packets on ARP untrusted interfaces are discarded.
Configuration procedure
To configure user validity check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. (Optional.) Configure a user validity check rule. |
By default, no user validity check rule is configured. |
|
|
3. Enter VLAN view. |
vlan vlan-id |
N/A |
|
4. Enable ARP attack detection. |
arp detection enable |
By default, ARP attack detection is disabled. |
|
5. Return to system view. |
quit |
N/A |
|
6. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
7. (Optional.) Configure the interface as a trusted interface excluded from ARP attack detection. |
arp detection trust |
By default, an interface is untrusted. |
Configuring ARP packet validity check
Enable validity check for ARP packets received on untrusted interfaces and specify the following objects to be checked:
· src-mac—Checks whether the sender MAC address in the message body is identical to the source MAC address in the Ethernet header. If they are identical, the packet is forwarded. Otherwise, the packet is discarded.
· dst-mac—Checks the target MAC address of ARP replies. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
· ip—Checks the sender and target IP addresses of ARP replies, and the sender IP address of ARP requests. All-one or multicast IP addresses are considered invalid and the corresponding packets are discarded.
To configure ARP packet validity check:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Enable ARP attack detection. |
arp detection enable |
By default, ARP attack detection is disabled. |
|
4. Return to system view. |
quit |
N/A |
|
5. Enable ARP packet validity check and specify the objects to be checked. |
arp detection validate { dst-mac | ip | src-mac } * |
By default, ARP packet validity check is disabled. |
|
6. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
7. (Optional.) Configure the interface as a trusted interface excluded from ARP attack detection. |
arp detection trust |
By default, an interface is untrusted. |
Configuring ARP restricted forwarding
|
|
NOTE: ARP restricted forwarding does not apply to ARP packets with multiport MAC as their destination MAC addresses. |
ARP restricted forwarding controls the forwarding of ARP packets that are received on untrusted interfaces and have passed user validity check as follows:
· If the packets are ARP requests, they are forwarded through the trusted interface.
· If the packets are ARP replies, they are forwarded according to their destination MAC address. If no match is found in the MAC address table, they are forwarded through the trusted interface.
Configure user validity check before you configure ARP restricted forwarding.
To enable ARP restricted forwarding:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VLAN view. |
vlan vlan-id |
N/A |
|
3. Enable ARP restricted forwarding. |
arp restricted-forwarding enable |
By default, ARP restricted forwarding is disabled. |
Displaying and maintaining ARP attack detection
Execute display commands in any view.
|
Task |
Command |
|
Display the VLANs enabled with ARP attack detection. |
display arp detection |
|
Display the ARP attack detection statistics. |
display arp detection statistics [ interface interface-type interface-number ] |
User validity check configuration example
Network requirements
As shown in Figure 4, configure the AC to perform user validity check based on 802.1X security entries for the clients.
Configuration procedure
1. Add all interfaces on the AC to VLAN 10, and specify the IP address of VLAN-interface 10 on the switch. (Details not shown.)
2. Configure the DHCP server on the switch, and configure DHCP address pool 0.
<Switch> system-view
[Switch] dhcp enable
[Switch] dhcp server ip-pool 0
[Switch-dhcp-pool-0] network 10.1.1.0 mask 255.255.255.0
3. Configure Client 1 and Client 2 as 802.1X clients and configure them to upload IP addresses for ARP attack detection. (Details not shown.)
4. Configure the AC:
# Configure the AC to perform EAP termination and use CHAP to communicate with the RADIUS server.
[AC] dot1x authentication-method chap
# Create an ISP domain named local and enter ISP domain view.
# Configure the ISP domain to use local authentication, local authorization, and local accounting for LAN clients.
[AC-isp-local] authentication lan-access local
[AC-isp-local] authorization lan-access local
[AC-isp-local] accounting lan-access local
[AC-isp-local] quit
# Create a service template named wlas_local_chap and enter its view.
[AC] wlan service-template wlas_local_chap
# Set the authentication mode to 802.1X.
[AC-wlan-st-wlas_local_chap] client-security authentication-mode dot1x
# Specify ISP domain local for the service template.
[AC-wlan-st-wlas_local_chap] dot1x domain local
# Set the SSID to wlas_local_chap.
[AC-wlan-st-wlas_local_chap] ssid wlas_local_chap
# Enable the service template.
[AC-wlan-st-wlas_local_chap] service-template enable
[AC-wlan-st-wlas_local_chap] quit
# # Create AP ap1, and specify the AP model and serial ID.
[AC] wlan ap ap1 model WA4320i-ACN
[AC-wlan-ap-ap 1] serial-id 210235A1BSC123000050
[AC-wlan-ap-ap 1] quit
# Configure channel 149 as the working channel for radio 1 of the AP, and enable radio 1.
[AC-wlan-ap-ap1] radio 1
[AC-wlan-ap-ap1-radio-1] channel 149
[AC-wlan-ap-ap1-radio-1] radio enable
# Bind service template wlas_local_chap to radio 1.
[AC-wlan-ap-ap1-radio-1] service-template wlas_local_chap
[AC-wlan-ap-ap1-radio-1] quit
[AC-wlan-ap-ap1] quit
# Add a network access user named test.
[AC] local-user test class network
[AC-luser-network-test] service-type lan-access
[AC-luser-network-test] password simple test
[AC-luser-network-test] quit
# Enable ARP attack detection for VLAN 10 to check user validity based on 802.1X entries.
[AC] vlan 10
[AC-vlan10] arp detection enable
# Configure the upstream interface as an ARP trusted interface. By default, an interface is an untrusted interface.
[AC-vlan10] interface gigabitethernet 1/0/3
[AC-GigabitEthernet1/0/3] arp detection trust
[AC-GigabitEthernet1/0/3] quit
After the configurations are completed, ARP packets received on interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are checked against 802.1X entries.
Configuring ARP scanning and fixed ARP
ARP scanning is typically used together with the fixed ARP feature in small-scale networks.
ARP scanning automatically creates ARP entries for devices in an address range. The device performs ARP scanning in the following steps:
1. Sends ARP requests for each IP address in the address range.
2. Obtains their MAC addresses through received ARP replies.
3. Creates dynamic ARP entries.
Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning) to static ARP entries. This feature prevents ARP entries from being modified by attackers. Static ARP entries can also be manually configured by the arp static command.
Configuration restrictions and guidelines
Follow these restrictions and guidelines when you configure ARP scanning and fixed ARP:
· IP addresses in existing ARP entries are not scanned.
· ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
· The arp fixup command is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.
· Due to the limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.
· To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address command.
Configuration procedure
To configure ARP scanning and fixed ARP:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Enter Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, or VLAN interface view. |
interface interface-type interface-number |
|
3. Enable ARP scanning. |
arp scan [ start-ip-address to end-ip-address ] |
|
4. Return to system view. |
quit |
|
5. Enable fixed ARP. |
arp fixup |
Configuring ARP gateway protection
Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.
When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet correctly.
Configuration guidelines
Follow these guidelines when you configure ARP gateway protection:
· You can enable ARP gateway protection for a maximum of eight gateways on an interface.
· Do not configure both the arp filter source and arp filter binding commands on an interface.
· If ARP gateway protection works with ARP attack detection, ARP gateway protection applies first.
Configuration procedure
To configure ARP gateway protection:
|
Step |
Command |
Remarks |
|
|
1. Enter system view. |
system-view |
N/A |
|
|
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
|
3. Enable ARP gateway protection for the specified gateway. |
arp filter source ip-address |
By default, ARP gateway protection is disabled. |
|
Configuration example
Network requirements
As shown in Figure 5, Client 2 launches gateway spoofing attacks to the AC. As a result, traffic that the AC intends to send to the switch is sent to Client 2.
Configure Switch B to block such attacks.
Configuration procedure
# Configure ARP gateway protection on the AC.
<AC> system-view
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] arp filter source 10.1.1.1
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] arp filter source 10.1.1.1
Verifying the configuration
# Verify that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway.
Configuring ARP filtering
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded.
Configuration guidelines
Follow these guidelines when you configure ARP filtering:
· You can configure a maximum of eight permitted entries on an interface.
· Do not configure both the arp filter source and arp filter binding commands on an interface.
· If ARP filtering works with ARP attack detection, ARP filtering applies first.
Configuration procedure
To configure ARP filtering:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view. |
interface interface-type interface-number |
N/A |
|
3. Enable ARP filtering and configure a permitted entry. |
arp filter binding ip-address mac-address |
By default, ARP filtering is disabled. |
Configuration example
Network requirements
As shown in Figure 6, the IP and MAC addresses of Client 1 are 10.1.1.2 and 000f-e349-1233, respectively. The IP and MAC addresses of Client 2 are 10.1.1.3 and 000f-e349-1234, respectively.
Configure ARP filtering on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of the AC to permit ARP packets from only Client 1 and Client 2.
Configuration procedure
# Configure ARP filtering on the AC.
<AC> system-view
[AC] interface gigabitethernet 1/0/1
[AC-GigabitEthernet1/0/1] arp filter binding 10.1.1.2 000f-e349-1233
[AC-GigabitEthernet1/0/1] quit
[AC] interface gigabitethernet 1/0/2
[AC-GigabitEthernet1/0/2] arp filter binding 10.1.1.3 000f-e349-1234
Verifying the configuration
# Verify that GigabitEthernet 1/0/1 permits ARP packets from Client 1 and discards other ARP packets.
# Verify that GigabitEthernet 1/0/2 permits ARP packets from Client 2 and discards other ARP packets.
