Huawei Quidway S9300 Configuration Manual page 130

Terabit routing switch v100r001c03

Hide thumbs Also See for Quidway S9300:

Configuration manual - network management (630 pages)

Configuration manual (603 pages)

Configuration manual - multicast (262 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

page of 178

/ 178
Contents
Table of Contents
Bookmarks

Table of Contents

4 ARP Security Configuration

# Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway

address to prevent User 1 from sending ARP packets with the bogus gateway address.

[Quidway] arp anti-attack gateway-duplicate enable

Step 5 Configure the rate suppression function for ARP packets.

# Set the suppression rate for ARP packets sent by User 4 to 200 pps. To prevent all users from

sending a large number of ARP packets incorrectly, set the suppression rate for ARP packets of

the system to 300 pps.

[Quidway] arp speed-limit source-ip maximum 300

[Quidway] arp speed-limit source-ip 2.2.2.4 maximum 200

Step 6 Configure the rate suppression function for ARP Miss packets.

# Set the suppression rate for ARP Miss packets of the system to 400 pps to prevent users from

sending a large number of IP packets with an unreachable destination IP address.

[Quidway] arp-miss speed-limit source-ip maximum 400

# Set the suppression rate for ARP Miss packets on the server to 1000 pps to prevent the server

from sending a large number of IP packets with an unreachable destination IP address, and to

prevent communication on the network when the rate for the server to send IP packets with an

unreachable destination IP address is not as required.

[Quidway] arp-miss speed-limit source-ip 2.2.2.2 maximum 1000

Step 7 Enable log and alarm functions for potential attacks.

[Quidway] arp anti-attack log-trap-timer 30

Step 8 Verify the configuration.

After the configuration, run the display arp learning strict command, and you can view

information about strict ARP learning.

<Quidway> display arp learning strict

The global configuration:arp learning strict

interface

------------------------------------------------------------

Total:0

force-enable:0

force-disable:0

You can use the display arp-limit command to check the maximum number of ARP entries

learned by the interface.

<Quidway> display arp-limit interface GigabitEthernet1/0/1

interface

---------------------------------------------------------------------------

GigabitEthernet1/0/1

---------------------------------------------------------------------------

Total:1

You can use the display arp anti-attack configuration all command to check the configuration

of ARP anti-attack.

<Quidway> display arp anti-attack configuration all

ARP anti-attack entry-check mode: fixed-MAC

ARP gateway-duplicate anti-attack function: enabled

ARP anti-attack log-trap-timer: 30seconds

(The log and trap timer of speed-limit, default is 0 and means disabled.)

4-22

LimitNum

Huawei Proprietary and Confidential

Quidway S9300 Terabit Routing Switch

Configuration Guide - Security

LearningStrictState

VlanID

LearnedNum(Mainboard)

Issue 01 (2009-07-28)

Table of Contents

Huawei Quidway S9300 Configuration Manual page 130

Related Manuals for Huawei Quidway S9300

Related Products for Huawei Quidway S9300

Table of Contents