Preventing The Arp Address Spoofing Attack; Preventing The Arp Gateway Duplicate Attack - Huawei Quidway S9300 Configuration Manual

Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
l
l
l
Pre-configuration Tasks
Before configuring ARP anti-attack, complete the following task:
l
Data Preparation
To configure ARP anti-attack, you need the following data.
No.
1

4.4.2 Preventing the ARP Address Spoofing Attack

Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable
The ARP anti-spoofing function is enabled.
You can use only one ARP anti-spoofing mode. If an ARP anti-spoofing mode is already used,
the latest configuration overrides the previous configuration.
By default, the ARP anti-spoofing function is disabled on the S9300.
----End

4.4.3 Preventing the ARP Gateway Duplicate Attack

Issue 06 (2010–01–08)
To prevent attackers from forging the ARP packets of authorized users and modifying the
ARP entries on the gateway, you can configure the ARP address anti-spoofing function.
To prevent attackers from forging the gateway address, sending gratuitous ARP packets
whose source IP addresses are the gateway address on the LAN, and thus making the host
change the gateway address into the address of the attacker, you can configure the ARP
gateway anti-collision function.
To prevent unauthorized users from accessing external networks by sending ARP packets
to the S9300, you can configure the ARP packet checking function.
Setting the parameters of the link layer protocol and the IP address of the interface and
enabling the link-layer protocol
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
Data
(Optional) Alarm threshold of the ARP
packets discarded because they do not match
the binding table.
4-9