Huawei Quidway S9300 Configuration Manual page 111

Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
The S9300 can prevent ARP spoofing by using the following methods:
l
l
Preventing ARP Gateway Attack
ARP gateway attack means that an attacker sends gratuitous ARP packets with the source IP
address as the bogus gateway address on a local area network (LAN). After receiving these
packets, the host replaces its gateway address with the address of the attacker. As a result, none
of the hosts on a LAN can access the network.
When the S9300 receives ARP packets with the bogus gateway address, there are the following
situations:
l
l
In one of the preceding situation, the S9300 generates ARP anti-attack entries and discards the
packets with the same source MAC address in the Ethernet header in a period (the default value
is three minutes). This can prevent ARP packets with the bogus gateway address from being
broadcast on a VLAN.
Suppressing ARP Packet Source
When a large number of packets are sent from a source IP address, the CPU resources of the
device and the bandwidth reserved for sending ARP packets are occupied.
The S9300 can suppress the transmission rate of the ARP packets with a specified source IP
address. If the number of ARP packets with a specified source IP address received by the
S9300 within a specified period exceeds the set threshold, the S9300 does not process the
excessive ARP request packets.
Suppressing ARP Miss Packet Source
When a host sends a large number of IP packets whose destination IP address cannot be resolved
to attack the device,
the S9300 suppresses the ARP Miss packets that have the specified source IP address. If a large
number of IP packets whose destination IP address cannot be resolved are sent to the S9300
from a source IP address, the ARP Miss packets are triggered. The S9300 takes statistics on the
ARP Miss packets. If a source IP address triggers the ARP Miss packets continuously in a period
Issue 01 (2009-07-28)
Fixed MAC address: After learning an ARP entry, the S9300 does not allow the
modification on the MAC address that is performed through ARP entry learning until this
ARP entry ages. Thus the S9300 prevents the ARP entries of authorized users from being
modified without permission.
The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-mac
mode, the MAC addresses cannot be modified, but the VLANs and interfaces can be
modified; in fixed-all mode, the MAC addresses, VLANs, and interfaces cannot be
modified.
Send-ack: The S9300 does not modify the ARP entry immediately when it receives an ARP
packet requesting for modifying a MAC address. Instead, the S9300 sends a unicast packet
for acknowledgement to the user matching this MAC address in the original ARP table.
The source IP address in the ARP packets is the same as the IP address of the interface that
receives the packets.
The source IP address in the ARP packets is the virtual IP address of the incoming interface
but the source MAC address of ARP packets is not the virtual MAC address of the Virtual
Router Redundancy Protocol (VRRP) group when the VRRP group is in virtual MAC
address mode.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
4-3