Login
- Table of Contents
-
- 12-Security Configuration Guide
- 00-Preface
- 01-MAC authentication configuration
- 02-Password control configuration
- 03-Keychain configuration
- 04-Public key management
- 05-PKI configuration
- 06-IPsec configuration
- 07-SSH configuration
- 08-SSL configuration
- 09-Session management
- 10-Object group configuration
- 11-Attack detection and prevention configuration
- 12-TCP and ICMP attack prevention configuration
- 13-IP source guard configuration
- 14-ARP attack protection configuration
- 15-ND attack defense configuration
- 16-uRPF configuration
- 17-Crypto engine configuration
- 18-DAE proxy configuration
- 19-802.1X configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 14-ARP attack protection configuration | 198.80 KB |
Configuring ARP attack protection
ARP attack protection tasks at a glance
Configuring unresolvable IP attack protection
About unresolvable IP attack protection
Configuring ARP source suppression
Configuring ARP blackhole routing
Display and maintenance commands for unresolvable IP attack protection
Example: Configuring unresolvable IP attack protection
Configuring source MAC-based ARP attack detection
About source MAC-based ARP attack detection
Display and maintenance commands for source MAC-based ARP attack detection
Example: Configuring source MAC-based ARP attack detection
Configuring interface-based ARP attack suppression
About interface-based ARP attack suppression
Feature and hardware compatibility
Display and maintenance commands for interface-based ARP attack suppression
Configuring ARP packet source MAC consistency check
About ARP packet source MAC consistency check
Display and maintenance commands for ARP packet source MAC consistency check
Configuring ARP active acknowledgement
Example: Configuring authorized ARP on a DHCP server
Example: Configuring authorized ARP on a DHCP relay agent
Configuring ARP scanning and fixed ARP
Configuring ARP gateway protection
Example: Configuring ARP gateway protection
Example: Configuring ARP filtering
Configuring ARP sender IP address checking
About ARP sender IP address checking
Example: Configuring ARP sender IP address checking
Configuring ARP attack protection
About ARP attack protection
The device can provide multiple features to detect and prevent ARP attacks and viruses in the LAN. An attacker can exploit ARP vulnerabilities to attack network devices in the following ways:
· Sends a large number of unresolvable IP packets to have the receiving device busy with resolving IP addresses until its CPU is overloaded. Unresolvable IP packets refer to IP packets for which ARP cannot find corresponding MAC addresses.
· Sends a large number of ARP packets to overload the CPU of the receiving device.
· Acts as a trusted user or gateway to send ARP packets so the receiving devices obtain incorrect ARP entries.
ARP attack protection tasks at a glance
All ARP attack protection tasks are optional.
· Preventing flood attacks
¡ Configuring unresolvable IP attack protection
¡ Configuring source MAC-based ARP attack detection
¡ Configuring interface-based ARP attack suppression
· Preventing user and gateway spoofing attacks
¡ Configuring ARP packet source MAC consistency check
¡ Configuring ARP active acknowledgement
¡ Configuring ARP scanning and fixed ARP
¡ Configuring ARP gateway protection
¡ Configuring ARP sender IP address checking
Configuring unresolvable IP attack protection
About unresolvable IP attack protection
If a device receives a large number of unresolvable IP packets from a host, the following situations can occur:
· The device sends a large number of ARP requests, overloading the target subnets.
· The device keeps trying to resolve the destination IP addresses, overloading its CPU.
To protect the device from such IP attacks, you can configure the following features:
· ARP source suppression—Stops resolving packets from an IP address if the number of unresolvable IP packets from the IP address exceeds the upper limit within 5 seconds. The device continues ARP resolution when the interval elapses. This feature is applicable if the attack packets have the same source addresses.
· ARP blackhole routing—Creates a blackhole route destined for an unresolved IP address. The device drops all matching packets until the blackhole route is deleted. A blackhole route is deleted when its aging timer is reached or the route becomes reachable.
After a blackhole route is created for an unresolved IP address, the device immediately starts the first ARP blackhole route probe by sending an ARP request. If the resolution fails, the device continues probing according to the probe settings. If the IP address resolution succeeds in a probe, the device converts the blackhole route to a normal route. If an ARP blackhole route ages out before the device finishes all probes, the device deletes the blackhole route and does not perform the remaining probes.
This feature is applicable regardless of whether the attack packets have the same source addresses.
Configuring ARP source suppression
1. Enter system view.
system-view
2. Enable ARP source suppression.
arp source-suppression enable
By default, ARP source suppression is disabled.
3. Set the maximum number of unresolvable packets that the device can process per source IP address within 5 seconds.
arp source-suppression limit limit-value
By default, the maximum number is 10.
Configuring ARP blackhole routing
Restrictions and guidelines
Set the ARP blackhole route probe count to a big value, for example, 25. If the device fails to reach the destination IP address temporarily and the probe count is too small, all probes might finish before the problem is resolved. As a result, non-attack packets will be dropped. This setting can avoid such situation.
Procedure
1. Enter system view.
system-view
2. Enable ARP blackhole routing.
arp resolving-route enable
By default, ARP blackhole routing is disabled.
3. (Optional.) Set the number of ARP blackhole route probes for each unresolved IP address.
arp resolving-route probe-count count
The default setting is three probes.
4. (Optional.) Set the interval at which the device probes ARP blackhole routes.
arp resolving-route probe-interval interval
The default setting is 1 second.
Display and maintenance commands for unresolvable IP attack protection
Execute display commands in any view.
|
Task |
Command |
|
Display ARP source suppression configuration information. |
display arp source-suppression |
Example: Configuring unresolvable IP attack protection
Network configuration
As shown in Figure 1, a LAN contains two areas: an R&D area in VLAN 10 and an office area in VLAN 20. Each area connects to the gateway (Device) through an access switch.
A large number of ARP requests are detected in the office area and are considered an attack caused by unresolvable IP packets. To prevent the attack, configure ARP source suppression or ARP blackhole routing.
Procedure
· If the attack packets have the same source address, configure ARP source suppression:
# Enable ARP source suppression.
<Device> system-view
[Device] arp source-suppression enable
# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
[Device] arp source-suppression limit 100
· If the attack packets have different source addresses, configure ARP blackhole routing:
# Enable ARP blackhole routing.
[Device] arp resolving-route enable
Configuring source MAC-based ARP attack detection
About source MAC-based ARP attack detection
This feature checks the number of ARP packets delivered to the CPU. If the number of packets from the same MAC address within the check interval exceeds a threshold, the device generates an ARP attack entry for the MAC address. If the ARP logging feature is enabled, the device handles the attack by using either of the following methods before the ARP attack entry ages out:
· Monitor—Only generates log messages.
· Filter—Generates log messages and filters out subsequent ARP packets from the MAC address.
To enable the ARP logging feature, use the arp check log enable command. For information about the ARP logging feature, see ARP in Layer 3—IP Services Configuration Guide.
When an ARP attack entry ages out, ARP packets sourced from the MAC address in the entry can be processed correctly.
Restrictions and guidelines
When you change the handling method from monitor to filter, the configuration takes effect immediately. When you change the handling method from filter to monitor, the device continues filtering packets that match existing attack entries.
You can exclude the MAC addresses of some gateways and servers from this detection. This feature does not inspect ARP packets from those devices even if they are attackers.
If attacks occur frequently in your network, set a short check interval so that source MAC-based ARP attacks can be detected in a timely manner. If attacks seldom occur, you can set a long check interval.
Procedure
1. Enter system view.
system-view
2. Enable source MAC-based ARP attack detection and specify the handling method.
arp source-mac { filter | monitor }
By default, this feature is disabled.
3. Set the check interval for source MAC-based ARP attack detection.
arp source-mac check-interval interval
By default, the check interval for source MAC-based ARP attack detection is 5 seconds.
4. Set the threshold.
arp source-mac threshold threshold-value
By default, the threshold is 30.
5. Set the aging timer for ARP attack entries.
arp source-mac aging-time time
By default, the lifetime is 300 seconds.
6. (Optional.) Exclude specific MAC addresses from this detection.
arp source-mac exclude-mac mac-address&<1-64>
By default, no MAC address is excluded.
Display and maintenance commands for source MAC-based ARP attack detection
|
|
IMPORTANT: The display arp source-mac statistics command is supported only on CSPEX cards (excluding CSPEX-1204 and CSPEX-1104-E cards) and CEPC cards. |
Execute display commands in any view.
|
Task |
Command |
|
Display the configuration of source MAC-based ARP attack detection. |
display arp source-mac configuration |
|
(In standalone mode.) Display ARP attack entries detected by source MAC-based ARP attack detection. |
display arp source-mac interface interface-type interface-number [ slot slot-number ] [ verbose ] display arp source-mac { mac mac-address | vlan vlan-id } slot slot-number [ verbose ] display arp source-mac slot slot-number [ count | verbose ] |
|
(In IRF mode.) Display ARP attack entries detected by source MAC-based ARP attack detection. |
display arp source-mac interface interface-type interface-number [ chassis chassis-number slot slot-number ] [ verbose ] display arp source-mac { mac mac-address | vlan vlan-id } chassis chassis-number slot slot-number [ verbose ] display arp source-mac chassis chassis-number slot slot-number [ count | verbose ] |
|
(In standalone mode.) Display statistics for packets dropped by source MAC-based ARP attack detection. |
display arp source-mac statistics slot slot-number |
|
(In IRF mode.) Display statistics for packets dropped by source MAC-based ARP attack detection. |
display arp source-mac statistics chassis chassis-number slot slot-number |
|
(In standalone mode.) Delete source MAC-based ARP attack entries. |
reset arp source-mac [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ] |
|
(In IRF mode.) Clear statistics of packets dropped by source MAC-based ARP attack detection. |
reset arp source-mac statistics [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ chassis chassis-number slot slot-number ] |
|
(In standalone mode.) Clear statistics of packets dropped by source MAC-based ARP attack detection. |
reset arp source-mac statistics [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ slot slot-number ] |
|
(In IRF mode.) Clear statistics of packets dropped by source MAC-based ARP attack detection. |
reset arp source-mac statistics [ interface interface-type interface-number | mac mac-address | vlan vlan-id ] [ chassis chassis-number slot slot-number ] |
Example: Configuring source MAC-based ARP attack detection
Network configuration
As shown in Figure 2, the hosts access the Internet through a gateway (Device). If malicious users send a large number of ARP requests to the gateway, the gateway might crash and cannot process requests from the clients. To solve this problem, configure source MAC-based ARP attack detection on the gateway. Set the check interval to 10 seconds, the threshold to 30, and the lifetime for ARP attack entries to 60 seconds. Exclude the MAC address 0012-3f86-e94c from source MAC-based ARP attack detection.
Figure 2 Network diagram
Procedure
# Enable source MAC-based ARP attack detection, and specify the handling method as filter.
<Device> system-view
[Device] arp source-mac filter
# Set the check interval for source MAC-based ARP attack detection to 10 seconds.
[Device] arp source-mac check-interval 10
# Set the threshold to 30.
[Device] arp source-mac threshold 30
# Set the lifetime for ARP attack entries to 60 seconds.
[Device] arp source-mac aging-time 60
# Exclude MAC address 0012-3f86-e94c from this detection.
[Device] arp source-mac exclude-mac 0012-3f86-e94c
Configuring interface-based ARP attack suppression
About interface-based ARP attack suppression
Use this feature to rate limit ARP requests on each Layer 3 interface to prevent ARP spoofing attacks.
This feature monitors the number of ARP requests that each Layer 3 interface received within the check interval. If the number on an interface exceeds the ARP attack suppression threshold, the device creates an ARP attack suppression entry for the interface. Before the suppression time for the entry times out, the maximum receiving rate for ARP packets is limited on the interface.
During the suppression period, the device monitors the number of received ARP requests on the interface:
· If the number of the received ARP requests is higher than or equal to a calculated value, the device determines that the ARP attack still exists on the interface. When the suppression time expires, the device resets the suppression time for the entry and continues the ARP suppression on the interface.
The calculated value = (suppression time/check interval) × suppression threshold
· If the number of the received ARP requests is lower than the calculated value, the ARP suppression entry is deleted when the suppression time expires.
Feature and hardware compatibility
This feature is supported only on Layer 3 Ethernet interfaces and Layer 3 Ethernet subinterfaces of CSPEX cards (excluding CSPEX-1204 and CSPEX-1104-E cards) and CEPC cards.
Restrictions and guidelines
As a best practice, enable this feature on the gateway.
Procedure
1. Enter system view.
system-view
2. Enable interface-based ARP attack suppression.
arp attack-suppression enable per-interface
By default, interface-based ARP attack suppression is disabled.
3. Set the check interval for interface-based ARP attack suppression.
arp attack-suppression check-interval interval
By default, the check interval for interface-based ARP attack suppression is 5 seconds.
4. Set the interface-based ARP attack suppression threshold.
arp attack-suppression threshold threshold-value
By default, the interface-based ARP attack suppression threshold is 3000.
5. Set the interface-based ARP attack suppression time.
arp attack-suppression suppression-time time
By default, the interface-based ARP attack suppression time is 300 seconds.
Display and maintenance commands for interface-based ARP attack suppression
Execute display commands in any view.
|
Task |
Command |
|
Display the configuration of the interface-based ARP attack suppression. |
display arp attack-suppression configuration |
|
(In standalone mode.) Display interface-based ARP attack suppression entries. |
display arp attack-suppression per-interface slot slot-number [ count | verbose ] |
|
(In IRF mode.) Display interface-based ARP attack suppression entries. |
display arp attack-suppression per-interface chassis chassis-number slot slot-number [ count | verbose ] |
|
Display interface-based ARP attack suppression entries on an interface. |
display arp attack-suppression per-interface interface interface-type interface-number [ verbose ] |
|
(In standalone mode.) Delete interface-based ARP attack suppression entries. |
reset arp attack-suppression per-interface [ interface interface-type interface-number ] [ slot slot-number ] |
|
(In IRF mode.) Delete interface-based ARP attack suppression entries. |
reset arp attack-suppression per-interface [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] |
|
(In standalone mode.) Clear statistics of packets dropped by interface-based ARP attack suppression. |
reset arp attack-suppression per-interface statistics [ interface interface-type interface-number ] [ slot slot-number ] |
|
(In IRF mode.) Clear statistics of packets dropped by interface-based ARP attack suppression. |
reset arp attack-suppression per-interface statistics [ interface interface-type interface-number ] [ chassis chassis-number slot slot-number ] |
Configuring ARP packet source MAC consistency check
About ARP packet source MAC consistency check
This feature enables a gateway to filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. This feature allows the gateway to learn correct ARP entries.
Procedure
1. Enter system view.
system-view
2. Enable ARP packet source MAC address consistency check.
arp valid-check enable
By default, ARP packet source MAC address consistency check is disabled.
Display and maintenance commands for ARP packet source MAC consistency check
|
|
IMPORTANT: The display arp valid-check statistics command is supported only on CSPEX (excluding CSPEX-1204 and CSPEX-1104-E cards) and CEPC cards. |
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
(In standalone mode.) Display statistics for packets dropped by ARP packet source MAC consistency check. |
display arp valid-check statistics slot slot-number |
|
(In IRF mode.) Display statistics for packets dropped by ARP packet source MAC consistency check. |
display arp valid-check statistics chassis chassis-number slot slot-number |
|
(In standalone mode.) Clear statistics for packets dropped by ARP packet source MAC consistency check. |
reset arp valid-check statistics [ slot slot-number ] |
|
(In IRF mode.) Clear statistics for packets dropped by ARP packet source MAC consistency check. |
reset arp valid-check statistics [ chassis chassis-number slot slot-number ] |
Configuring ARP active acknowledgement
About ARP active acknowledgement
Configure this feature on gateways to prevent user spoofing.
ARP active acknowledgement prevents a gateway from generating incorrect ARP entries.
In strict mode, a gateway performs more strict validity checks before creating an ARP entry:
· Upon receiving an ARP request destined for the gateway, the gateway sends an ARP reply but does not create an ARP entry.
· Upon receiving an ARP reply, the gateway determines whether it has resolved the sender IP address:
¡ If yes, the gateway performs active acknowledgement. When the ARP reply is verified as valid, the gateway creates an ARP entry.
¡ If no, the gateway discards the packet.
Procedure
1. Enter system view.
system-view
2. Enable the ARP active acknowledgement feature.
arp active-ack [ strict ] enable
By default, this feature is disabled.
For ARP active acknowledgement to take effect in strict mode, make sure ARP blackhole routing is enabled.
Configuring authorized ARP
About authorized ARP
Authorized ARP entries are generated based on the DHCP clients' address leases on the DHCP server or dynamic client entries on the DHCP relay agent. For more information about DHCP server and DHCP relay agent, see Layer 3—IP Services Configuration Guide.
Use this feature to prevent user spoofing and to allow only authorized clients to access network resources.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable authorized ARP on the interface.
arp authorized enable
By default, authorized ARP is disabled.
Example: Configuring authorized ARP on a DHCP server
Network configuration
As shown in Figure 3, configure authorized ARP on GigabitEthernet 3/1/1 of Device A (a DHCP server) to ensure user validity.
Procedure
1. Configure Device A:
# Specify the IP address for GigabitEthernet 3/1/1.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 3/1/1
[DeviceA-GigabitEthernet3/1/1] ip address 10.1.1.1 24
[DeviceA-GigabitEthernet3/1/1] quit
# Configure DHCP.
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 10.1.1.0 mask 255.255.255.0
[DeviceA-dhcp-pool-1] quit
# Enter Layer 3 Ethernet interface view.
[DeviceA] interface gigabitethernet 3/1/1
# Enable authorized ARP.
[DeviceA-GigabitEthernet3/1/1] arp authorized enable
[DeviceA-GigabitEthernet3/1/1] quit
2. Configure Device B:
<DeviceB> system-view
[DeviceB] interface gigabitethernet 3/1/1
[DeviceB-GigabitEthernet3/1/1] ip address dhcp-alloc
[DeviceB-GigabitEthernet3/1/1] quit
Verifying the configuration
# Display authorized ARP entry information on Device A.
[DeviceA] display arp all
Type: S-Static D-Dynamic O-Openflow R-Rule M-Multiport I-Invalid
IP address MAC address VLAN/VSI name Interface Aging Type
10.1.1.2 0012-3f86-e94c -- GE3/1/1 16 D
The output shows that IP address 10.1.1.2 has been assigned to Device B.
Device B must use the IP address and MAC address in the authorized ARP entry to communicate with Device A. Otherwise, the communication fails. Thus user validity is ensured.
Example: Configuring authorized ARP on a DHCP relay agent
Network configuration
As shown in Figure 4, configure authorized ARP on GigabitEthernet 3/1/2 of Device B (a DHCP relay agent) to ensure user validity.
Procedure
1. Configure Device A:
# Specify the IP address for GigabitEthernet 3/1/1.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 3/1/1
[DeviceA-GigabitEthernet3/1/1] ip address 10.1.1.1 24
[DeviceA-GigabitEthernet3/1/1] quit
# Configure DHCP.
[DeviceA] dhcp enable
[DeviceA] dhcp server ip-pool 1
[DeviceA-dhcp-pool-1] network 10.10.1.0 mask 255.255.255.0
[DeviceA-dhcp-pool-1] gateway-list 10.10.1.1
[DeviceA-dhcp-pool-1] quit
[DeviceA] ip route-static 10.10.1.0 24 10.1.1.2
2. Configure Device B:
# Enable DHCP.
<DeviceB> system-view
[DeviceB] dhcp enable
# Specify the IP addresses of GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2.
[DeviceB] interface gigabitethernet 3/1/1
[DeviceB-GigabitEthernet3/1/1] ip address 10.1.1.2 24
[DeviceB-GigabitEthernet3/1/1] quit
[DeviceB] interface gigabitethernet 3/1/2
[DeviceB-GigabitEthernet3/1/2] ip address 10.10.1.1 24
# Enable DHCP relay agent on GigabitEthernet 3/1/2.
[DeviceB-GigabitEthernet3/1/2] dhcp select relay
# Add the DHCP server 10.1.1.1 to DHCP server group 1.
[DeviceB-GigabitEthernet3/1/2] dhcp relay server-address 10.1.1.1
# Enable authorized ARP.
[DeviceB-GigabitEthernet3/1/2] arp authorized enable
[DeviceB-GigabitEthernet3/1/2] quit
# Enable recording of relay entries on the relay agent.
[DeviceB] dhcp relay client-information record
3. Configure Device C:
<DeviceC> system-view
[DeviceC] ip route-static 10.1.1.0 24 10.10.1.1
[DeviceC] interface gigabitethernet 3/1/2
[DeviceC-GigabitEthernet3/1/2] ip address dhcp-alloc
[DeviceC-GigabitEthernet3/1/2] quit
Verifying the configuration
# Display authorized ARP information on Device B.
[DeviceB] display arp all
Type: S-Static D-Dynamic O-Openflow R-Rule I-Invalid
IP address MAC address VLAN/VSI name Interface Aging Type
10.10.1.2 0012-3f86-e94c -- GE3/1/2 16 D
The output shows that Device A assigned the IP address 10.10.1.2 to Device C.
Device C must use the IP address and MAC address in the authorized ARP entry to communicate with Device B. Otherwise, the communication fails. Thus the user validity is ensured.
Configuring ARP scanning and fixed ARP
About ARP scanning and fixed ARP
ARP scanning is typically used together with the fixed ARP feature in small-scale and stable networks.
ARP scanning automatically creates ARP entries for devices in an address range. The device performs ARP scanning in the following steps:
1. Sends ARP requests for each IP address in the address range.
2. Obtains their MAC addresses through received ARP replies.
3. Creates dynamic ARP entries.
Fixed ARP converts existing dynamic ARP entries (including those generated through ARP scanning) to static ARP entries. These static ARP entries are of the same attributes as the ARP entries that are manually configured. This feature prevents ARP entries from being modified by attackers.
Restrictions and guidelines
IP addresses in existing ARP entries are not scanned.
ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
Due to the limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.
The arp fixup command is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.
To delete a static ARP entry converted from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. You can also use the reset arp all command to delete all ARP entries or the reset arp static command to delete all static ARP entries.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Trigger an ARP scanning.
arp scan [ start-ip-address to end-ip-address ]
4. Return to system view.
quit
5. Convert existing dynamic ARP entries to static ARP entries.
arp fixup
Configuring ARP gateway protection
About ARP gateway protection
Configure this feature on interfaces not connected with a gateway to prevent gateway spoofing attacks.
When such an interface receives an ARP packet, it checks whether the sender IP address in the packet is consistent with that of any protected gateway. If yes, it discards the packet. If not, it handles the packet correctly.
Restrictions and guidelines
You can enable ARP gateway protection for a maximum of eight gateways on an interface.
Do not configure both the arp filter source and arp filter binding commands on an interface.
If ARP gateway protection works with ARP fast-reply, ARP gateway protection applies first.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
Supported interface types include Layer 2 Ethernet interface and Layer 2 aggregate interface.
3. Enable ARP gateway protection for the specified gateway.
arp filter source ip-address
By default, ARP gateway protection is disabled.
Example: Configuring ARP gateway protection
Network configuration
As shown in Figure 5, Host B launches gateway spoofing attacks to Device B. As a result, traffic that Device B intends to send to Device A is sent to Host B.
Configure Device B to block such attacks.
Procedure
# Configure ARP gateway protection on Device B.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 3/1/1
[DeviceB-GigabitEthernet3/1/1] arp filter source 10.1.1.1
[DeviceB-GigabitEthernet3/1/1] quit
[DeviceB] interface gigabitethernet 3/1/2
[DeviceB-GigabitEthernet3/1/2] arp filter source 10.1.1.1
Verifying the configuration
# Verify that GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2 discard the incoming ARP packets whose sender IP address is the IP address of the gateway.
Configuring ARP filtering
About ARP filtering
The ARP filtering feature can prevent gateway spoofing and user spoofing attacks.
An interface enabled with this feature checks the sender IP and MAC addresses in a received ARP packet against permitted entries. If a match is found, the packet is handled correctly. If not, the packet is discarded.
Restrictions and guidelines
You can configure a maximum of eight permitted entries on an interface.
Do not configure both the arp filter source and arp filter binding commands on an interface.
If ARP filtering works with ARP fast-reply, ARP filtering applies first.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
Supported interface types include Ethernet interface and Layer 2 aggregate interface.
3. Enable ARP filtering and configure a permitted entry.
arp filter binding ip-address mac-address
By default, ARP filtering is disabled.
Example: Configuring ARP filtering
Network configuration
As shown in Figure 6, the IP and MAC addresses of Host A are 10.1.1.2 and 000f-e349-1233, respectively. The IP and MAC addresses of Host B are 10.1.1.3 and 000f-e349-1234, respectively.
Configure ARP filtering on GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2 of Device B to permit ARP packets from only Host A and Host B.
Procedure
# Configure ARP filtering on Device B.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 3/1/1
[DeviceB-GigabitEthernet3/1/1] arp filter binding 10.1.1.2 000f-e349-1233
[DeviceB-GigabitEthernet3/1/1] quit
[DeviceB] interface gigabitethernet 3/1/2
[DeviceB-GigabitEthernet3/1/2] arp filter binding 10.1.1.3 000f-e349-1234
Verifying the configuration
# Verify that GigabitEthernet 3/1/1 permits ARP packets from Host A and discards other ARP packets.
# Verify that GigabitEthernet 3/1/2 permits ARP packets from Host B and discards other ARP packets.
Configuring ARP sender IP address checking
About ARP sender IP address checking
This feature allows a gateway to check the sender IP address of an ARP packet in a VLAN before ARP learning. If the sender IP address is within the allowed IP address range, the gateway continues ARP learning. If the sender IP address is out of the range, the gateway determines the ARP packet as an attack packet and discards it.
Restrictions and guidelines
If the VLAN is a sub-VLAN and is associated with a super VLAN, configure this checking feature only in the sub-VLAN.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable the ARP sender IP address checking feature and specify the IP address range.
arp sender-ip-range start-ip-address end-ip-address
By default, the ARP sender IP address checking feature is disabled.
Example: Configuring ARP sender IP address checking
Network configuration
As shown in Figure 7, perform the following tasks:
· Create a super VLAN and associate it with VLANs 2, 3, and 4. VLANs 2, 3, and 4 are isolated at Layer 2 but interoperable at Layer 3. All hosts in VLANs 2, 3, and 4 use the gateway IP address 10.1.1.1/24 for Layer 3 communication.
· Configure the ARP sender IP address checking feature in VLAN 2 and specify the sender IP address range 10.1.1.1 to 10.1.1.10.
Procedure
# Create VLAN 10.
<Device> system-view
[Device] vlan 10
[Device-vlan10] quit
# Create VLAN-interface 10, and assign IP address 10.1.1.1/24 to it.
[Device] interface vlan-interface 10
[Device-Vlan-interface10] ip address 10.1.1.1 255.255.255.0
[Device] quit
# Create VLAN 2, and assign GigabitEthernet 3/1/1 and GigabitEthernet 3/1/2 to the VLAN.
[Device] vlan 2
[Device-vlan2] port gigabitethernet 3/1/1 gigabitethernet 3/1/2
[Device-vlan2] quit
# Create VLAN 3, and assign GigabitEthernet 3/1/3 and GigabitEthernet 3/1/4 to the VLAN.
[Device] vlan 3
[Device-vlan3] port gigabitethernet 3/1/3 gigabitethernet 3/1/4
[Device-vlan3] quit
# Create VLAN 4, and assign GigabitEthernet 3/1/5 and GigabitEthernet 3/1/6 to the VLAN.
[Device] vlan 4
[Device-vlan4] port gigabitethernet 3/1/5 gigabitethernet 3/1/6
[Device-vlan4] quit
# Configure VLAN 10 as a super VLAN, and associate sub-VLANs 2, 3, and 4 with the super VLAN.
[Device] vlan 10
[Device-vlan10] supervlan
[Device-vlan10] subvlan 2 3 4
[Device-vlan10] quit
# Enable the ARP sender IP address checking feature in VLAN 2 and specify the IP address range 10.1.1.1 to 10.1.1.10.
[Device] vlan 2
[Device-vlan2] arp sender-ip-range 10.1.1.1 10.1.1.10
Verifying the configuration
# Verify that the device accepts only ARP packets whose sender IP addresses are within the specified address range 10.1.1.1 to 10.1.1.10. The device discards the ARP packets with the sender IP addresses that are out of the range.
