Limiting Arp Entry Learning; Establishing The Configuration Task - Huawei Quidway S9300 Configuration Manual

Terabit routing switch v100r001c03

Hide thumbs Also See for Quidway S9300:

Configuration manual - network management (630 pages)

Configuration manual (603 pages)

Configuration manual - multicast (262 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

page of 178

/ 178
Contents
Table of Contents
Bookmarks

Table of Contents

4 ARP Security Configuration

and the triggered rate exceeds the set threshold, the S9300 considers that an attack occurs. In

this case, the S9300 delivers ACL rules to discard the IP packets sent from this address in a

period (the default value is 50 seconds).

Preventing ARP Man-in-the-Middle Attack

A man-in-the-middle on the network may send a packet carrying its own MAC address and the

IP address of the server to the client. The client learns the MAC address and IP address contained

in the packet and considers the man-in-the-middle as the server. Then, the man-in-the-middle

sends a packet carrying its own MAC address and the IP address of the client to the server. The

server can learn the IP address and MAC address of the man-in-the-middle and consider the

man-in-the-middle as the client. In this way, the man-in-the-middle obtains the data exchanged

between the server and the client.

To prevent the man-in-the-middle attacks, you can configure the S9300 to check the ARP packets

according to the binding table. Only the packets that match the content of the binding table can

be forwarded; the other packets are discarded.

Limitation on the Transmission Rate of ARP Packets

The transmission rate of the ARP packets on the S9300 can be limited. This prevents the

excessive ARP packets from being transmitted to the security module and degrading system

performance.

4.3 Limiting ARP Entry Learning

This section describes how to limit the learning of ARP entries.

4.3.1 Establishing the Configuration Task

4.3.2 Enabling Strict ARP Entry Learning

4.3.3 Configuring Interface-based ARP Entry Limitation

4.3.4 Checking the Configuration

4.3.1 Establishing the Configuration Task

Applicable Environment

After the strict ARP entry learning is enabled, the S9300 learns only the response messages of

the ARP request messages sent locally.

You can configure the limitation on ARP entry learning based on interfaces to limit the number

of ARP entries dynamically learned by the interfaces.

Pre-configuration Tasks

Before configuring the limitation on ARP entry learning, complete the following task:

4-4

Setting the parameters of the link layer protocol and the IP address of the interface and

enabling the link-layer protocol

Huawei Proprietary and Confidential

Quidway S9300 Terabit Routing Switch

Configuration Guide - Security

Issue 01 (2009-07-28)

Table of Contents

Limiting Arp Entry Learning; Establishing The Configuration Task - Huawei Quidway S9300 Configuration Manual

4.3 Limiting ARP Entry Learning

4.3.1 Establishing the Configuration Task

Related Manuals for Huawei Quidway S9300

Related Content for Huawei Quidway S9300

Table of Contents