Configuring Arp Detection; Introduction To Arp Detection - H3C S5120-SI Series Configuration Manual

To do...
1. Enter system view
2. Enter Ethernet interface
view
3. Configure ARP packet
rate limit

Configuring ARP detection

For information about DHCP snooping, refer to DHCP Configuration.
•
For information about 802.1X, refer to 802.1X Configuration.
•

Introduction to ARP detection

The ARP detection feature allows only the ARP packets of authorized clients to be forwarded, preventing
man-in-the-middle attacks.
Man-in-the-middle attack
According to ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the sender
to its ARP mapping table. This design reduces ARP traffic on the network, but also makes ARP spoofing
possible.
Man-in-the-middle attack process
As shown in Figure 4, Host A communicates with Host C through a switch.
1.
After intercepting the traffic between Host A and Host C, a hacker (Host B) forwards forged ARP
2.
replies to Host A and Host C respectively.
Upon receiving the ARP replies, the two hosts update the MAC address corresponding to the peer
3.
IP address in their ARP tables with the MAC address of Host B (MAC_B).
After that, Host B establishes independent connections with Host A and Host C
4.
Host B relays messages between Host A and Host C, deceiving them into believing that they are
5.
talking directly to each other over a private connection. Host B controls the entire conversation, and
can intercept and modify the communication data.
Use the command...
system-view
interface interface-type interface-
number
arp rate-limit { disable | rate
pps drop }
21
Remarks
—
—
Required
By default, the ARP packet rate limit is not
enabled