4.3.4 Checking the Configuration...................................................................................................................4-6

4.4 Configuring ARP Anti-Attack........................................................................................................................ 4-7

4.4.1 Establishing the Configuration Task......................................................................................................4-7

4.4.2 Preventing the ARP Address Spoofing Attack...................................................................................... 4-8

4.4.3 Preventing the ARP Gateway Duplicate Attack.....................................................................................4-9

4.4.4 Preventing the Man-in-the-Middle Attack.............................................................................................4-9

4.4.5 (Optional) Configuring the S9300 to Discard Gratuitous ARP Packets..............................................4-10

4.4.6 Configuring DHCP to Trigger ARP Learning.....................................................................................4-11

4.4.7 Enabling Log and Alarm Functions for Potential Attacks...................................................................4-12

4.4.8 Checking the Configuration.................................................................................................................4-12

4.5 Suppressing Transmission Rate of ARP Packets..........................................................................................4-13

4.5.1 Establishing the Configuration Task....................................................................................................4-13

4.5.2 Configuring Source-based ARP Suppression......................................................................................4-14

4.5.3 Configuring Source-based ARP Miss Suppression..............................................................................4-15

4.5.4 Setting the Suppression Time of ARP Miss Messages........................................................................4-15

4.5.5 Suppressing Transmission Rate of ARP Packets.................................................................................4-16

4.5.6 Checking the Configuration.................................................................................................................4-17

4.6 Maintaining ARP Security............................................................................................................................4-18

4.6.1 Displaying the Statistics About ARP Packets......................................................................................4-18

4.6.2 Clearing the Statistics on ARP Packets................................................................................................4-18

4.6.3 Clearing the Statistics on Discarded ARP Packets...............................................................................4-19

4.6.4 Debugging ARP Packets......................................................................................................................4-19

4.7 Configuration Examples................................................................................................................................4-20

4.7.1 Example for Configuring ARP Security Functions..............................................................................4-20

4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks..........................4-24

5 Traffic Suppression Configuration........................................................................................5-1

5.1 Introduction to Traffic Suppression................................................................................................................ 5-2

5.2 Traffic Suppression Features Supported by the S9300...................................................................................5-2

5.3 Configuring Traffic Suppression.....................................................................................................................5-2

5.3.1 Establishing the Configuration Task......................................................................................................5-2

5.3.2 Configuring Traffic Suppression on an Interface...................................................................................5-3

5.3.3 Checking the Configuration...................................................................................................................5-4

5.4 Configuration Examples..................................................................................................................................5-4

5.4.1 Example for Configuring Traffic Suppression.......................................................................................5-4

6 IP Source Trail Configuration.................................................................................................6-1

6.1 Introduction to IP Source Trail........................................................................................................................6-2

6.2 IP Source Trail Features Supported by the S9300.......................................................................................... 6-2

6.3 Configuring IP Source Trail............................................................................................................................6-3

6.3.1 Establishing the Configuration Task......................................................................................................6-3

6.3.2 Configuring IP Source Trail Based on the Destination IP Address.......................................................6-3

6.3.3 Checking the Configuration...................................................................................................................6-4

Huawei Proprietary and Confidential

Quidway S9300 Terabit Routing Switch

Configuration Guide - Security

Issue 01 (2009-07-28)

Table of Contents