Figure 4-2 Networking Diagram For Prevent Man-In-The-Middle Attacks - Huawei Quidway S9300 Configuration Manual

4 ARP Security Configuration
the-middle attacks, you can configure the IP source guard function. After the IP source guard
function is configured on the S9300, the S9300 checks the IP packets according to the binding
table. Only the IP packets that match the content of the binding table can be forwarded; the other
IP packets are discarded. In addition, you can enable the alarm function for discarded packets.

Figure 4-2 Networking diagram for prevent man-in-the-middle attacks

Attacker
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
l
l
l
Procedure
Step 1 Configure the IP source guard function.
# Enable the IP source guard function on GE 1/0/1 connected to the client.
[Quidway] interface gigabitethernet 1/0/1
[Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind enable
[Quidway-GigabitEthernet1/0/1] arp anti-attack check user-bind check-item ip-
address mac-address
[Quidway-GigabitEthernet1/0/1] quit
4-26
S9300
GE1/0/2
GE1/0/1
IP:10.0.0.1/24
MAC:1-1-1
Client
VLAN ID:10
Enable the IP source guard function.
Configure the check items for ARP packets.
Configure a static binding table.
Enable the alarm function for discarded packets.
Interfaces enabled with IP source guard: GE 1/0/1 and GE 1/0/2
Check items: IP address + MAC address
Alarm threshold of the number of discarded ARP packets: 80
IP address of the client configured in the static binding table: 10.0.0.1/2; MAC address:
1-1-1; VLAN ID: 10
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Server
Issue 06 (2010–01–08)