Arp Security Configuration - Huawei Quidway S3700 Series Configuration Manual

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
About This Chapter
The ARP security technology ensures security and robustness of network devices by filtering
out untrusted ARP packets and perform timestamp suppression for some ARP packets.
4.1 ARP Security Overview
ARP attacks are common and have great impact on networks. The S3700 defends against ARP
attacks on the interface that is nearest to the attack source.
4.2 ARP Security Supported by the S3700
The ARP security features supported by the S3700 includes limitation on ARP entry learning,
ARP anti-spoofing, defense against ARP gateway attacks, suppression of ARP packets based
on the source address, suppression of ARP Miss packets based on the source address, defense
against ARP man-in-the-middle attacks, limitation on the transmission rate of ARP packets, and
ARP proxy on a VPLS network.
4.3 Checking Source MAC Addresses of ARP Packets
If the source MAC address in the ARP packet header is inconsistent with the source MAC address
in the Ethernet frame header, the ARP packet is considered as an attack packet. Such attack
packets can be prevented by checking the source MAC addresses of the packets.
4.4 Configuring Defense Against ARP DoS Attacks
If the S3700 receives a lot of ARP attack packets, the MAC address table overflows or the CPU
usage is high. The S3700 prevents ARP DoS attacks by discarding and limiting the rate of attack
packets.
4.5 Configuring ARP Anti-Spoofing
ARP spoofing attacks include ARP entry attack, gateway attack, and man-in-the-middle attack.
The S3700 provides measures to defend against these attacks.
4.6 Maintaining ARP Security
This section describes how to maintain ARP security.
4.7 Configuration Examples
This section provides several configuration examples of ARP security.
Issue 01 (2011-07-15)
4

ARP Security Configuration

Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
134