Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
4.4.3 Preventing the ARP Gateway Duplicate Attack
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
arp anti-attack gateway-duplicate enable
The ARP anti-attack function for preventing ARP packets with the bogus gateway address is
enabled.
After this function is enabled, the ARP packets with the bogus gateway address on an interface
of the S9300 are not broadcast to other interfaces. By default, this function is disabled on the
S9300.
----End
4.4.4 Preventing the Man-in-the-Middle Attack
Context
To prevent man-in-the-middle attacks, you can configure the S9300 to check ARP packets. If
the packets received on the interface match the binding table, the packets are forwarded;
otherwise, the packets are discarded.
In addition, you can configure the alarm function. When the number of discarded packets exceeds
the threshold, an alarm is generated.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
arp anti-attack check user-bind enable
The IP source guard function is enabled on the interface.
Issue 01 (2009-07-28)
NOTE
Binding entries of DHCP users are created automatically after DHCP snooping is enabled. If a user uses
a static IP address, you need to configure the binding entry of the user manually. A DHCP snooping binding
entry consists of the IP address, MAC address, interface number, and VLAN ID of a user.
For the configuration of DHCP snooping, see
a static binding entry, see
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2.3.2 Enabling DHCP
3.3.2 (Optional) Configuring Static User Binding
4 ARP Security Configuration
Snooping. For the configuration of
Table.
4-9