Example For Configuring Arp Anti-Attack To Prevent Man-In-The-Middle Attacks; Figure 4-2 Networking Diagram For Prevent Man-In-The-Middle Attacks - Huawei Quidway S9300 Configuration Manual

4 ARP Security Configuration
4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-
the-Middle Attacks
Networking Requirements
As shown in
respectively. Assume that the user connected to GE 1/0/2 is an attacker. To prevent the man-in-
the-middle attacks, you can configure the IP source guard function. After the IP source guard
function is configured on the S9300, the S9300 checks the IP packets according to the binding
table. Only the IP packets that match the content of the binding table can be forwarded; the other
IP packets are discarded. In addition, you can enable the alarm function for discarded packets.

Figure 4-2 Networking diagram for prevent man-in-the-middle attacks

Attacker
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
l
l
l
4-24
Figure 4-2, two users are connected to the S9300 through GE 1/0/1 and GE 1/0/2
S9300
GE1/0/2
GE1/0/1
IP:10.0.0.1/24
MAC:1-1-1
Client
VLAN ID:10
Enable the IP source guard function.
Configure the check items for ARP packets.
Configure a static binding table.
Enable the alarm function for discarded packets.
Interfaces enabled with IP source guard: GE 1/0/1 and GE 1/0/2
Check items: IP address + MAC address
Alarm threshold of the number of discarded ARP packets: 80
IP address of the client configured in the static binding table: 10.0.0.1/2; MAC address:
1-1-1; VLAN ID: 10
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Server
Issue 01 (2009-07-28)