Introduction To Arp Packet Rate Limit - H3C S5600 SERIES Operation Manual
Hide thumbs
Also See for S5600 SERIES:
- Operation manual (1278 pages) ,
- Configuration (313 pages) ,
- Operation manual (1218 pages)
Table of Contents
Advertisement
Figure 1-3 Network diagram for ARP man-in-the-middle attack
ARP attack detection
To guard against the man-in-the-middle attacks launched by hackers or attackers, S5600 series
Ethernet switches support the ARP attack detection function. All ARP (both request and response)
packets passing through the switch are redirected to the CPU, which checks the validity of all the ARP
packets by using the DHCP snooping table or the manually configured IP binding table. For description
of DHCP snooping table and the manually configured IP binding table, refer to the DHCP snooping
section in the part discussing DHCP in this manual.
After you enable the ARP attack detection function, the switch will check the following items of an ARP
packet: the source MAC address, source IP address, port number of the port receiving the ARP packet,
and the ID of the VLAN the port resides. If these items match the entries of the DHCP snooping table or
the manual configured IP binding table, the switch will forward the ARP packet; if not, the switch
discards the ARP packet.
With trusted ports configured, ARP packets coming from the trusted ports will not be checked,
while those from other ports will be checked through the DHCP snooping table or the manually
configured IP binding table.
With the ARP restricted forwarding function enabled, ARP request packets are forwarded through
trusted ports only; ARP response packets are forwarded according to the MAC addresses in the
packets, or through trusted ports if the MAC address table contains no such destination MAC
addresses.
Introduction to ARP Packet Rate Limit
To prevent the man-in-the-middle attack, a switch enabled with the ARP attack detection function
delivers ARP packets to the CPU to check the validity of the packets. However, this causes a new
problem: If an attacker sends a large number of ARP packets to a port of a switch, the CPU will get
overloaded, causing other functions to fail, and even the whole device to break down. To guard against
such attacks, S5600 series Ethernet switches support the ARP packets rate limit function, which will
shut down the attacked port, thus preventing serious impact on the CPU.
With this function enabled on a port, the switch will count the ARP packets received on the port within
each second. If the number of ARP packets received on the port per second exceeds the preconfigured
1-5
Advertisement
Chapters
Table of Contents
Troubleshooting
