To do...
1.
Enter system view
2.
Enter Ethernet interface
view
3.
Configure ARP packet
rate limit
Configuring ARP detection
For information about DHCP snooping, refer to DHCP Configuration.
•
For information about 802.1X, refer to 802.1X Configuration.
•
Introduction to ARP detection
The ARP detection feature allows only the ARP packets of authorized clients to be forwarded, preventing
man-in-the-middle attacks.
Man-in-the-middle attack
According to ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the sender
to its ARP mapping table. This design reduces ARP traffic on the network, but also makes ARP spoofing
possible.
Man-in-the-middle attack process
As shown in Figure 4, Host A communicates with Host C through a switch.
1.
After intercepting the traffic between Host A and Host C, a hacker (Host B) forwards forged ARP
2.
replies to Host A and Host C respectively.
Upon receiving the ARP replies, the two hosts update the MAC address corresponding to the peer
3.
IP address in their ARP tables with the MAC address of Host B (MAC_B).
After that, Host B establishes independent connections with Host A and Host C
4.
Host B relays messages between Host A and Host C, deceiving them into believing that they are
5.
talking directly to each other over a private connection. Host B controls the entire conversation, and
can intercept and modify the communication data.
Use the command...
system-view
interface interface-type interface-
number
arp rate-limit { disable | rate
pps drop }
21
Remarks
—
—
Required
By default, the ARP packet rate limit is not
enabled