Huawei Quidway S3700 Series Configuration Manual page 150

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
ARP Anti-Spoofing
ARP spoofing means that attackers use ARP packets sent by other users to construct bogus ARP
packets and modify ARP entries on the gateway. As a result, the authorized users are
disconnected from the network.
The S3700 can prevent ARP spoofing by using the following methods:
l
l
Defense Against ARP Gateway Attacks
An ARP gateway attack means that an attacker sends gratuitous ARP packets with the source
IP address as the bogus gateway address on a local area network (LAN). After receiving these
packets, the host replaces its gateway address with the address of the attacker. As a result, none
of the hosts on a LAN can access the network.
When the S3700 receives ARP packets with the bogus gateway address, there are the following
situations:
l
l
In either of the preceding situation, the S3700 generates ARP anti-attack entries and discards
the packets in a period (the default value is three minutes). This can prevent ARP packets with
the bogus gateway address from being broadcast in a VLAN.
To ensure that packets sent by hosts on the internal network are forwarded to the gateway or
prevent malicious users from intercepting these packets, the S3700 sends gratuitous ARP packets
at intervals to update the gateway address in ARP entries of the hosts.
Suppression of ARP Packets Based on the Source Address
When a large number of ARP packets are sent from a source IP address or MAC address, the
CPU resources of the S3700 and the bandwidth reserved for ARP packets are occupied.
The S3700 can suppress the transmission rate of the ARP packets with a specified source IP
address or MAC address. If the number of ARP packets with a specified source IP address or
MAC address received by the S3700 within a specified period exceeds the set threshold, the
S3700 does not process the excess ARP request packets.
Issue 01 (2011-07-15)
Fixed MAC address: After learning an ARP entry, the S3700 does not allow the
modification on the MAC address that is performed through ARP entry learning until this
ARP entry ages. The S3700 then prevents ARP entries of authorized users from being
modified without permission.
The fixed MAC address methods have two modes: fixed-mac and fixed-all. In fixed-mac
mode, MAC addresses cannot be modified, but VLANs and interfaces can be modified; in
fixed-all mode, MAC addresses, VLANs, and interfaces cannot be modified.
Send-ack: The S3700 does not modify an ARP entry immediately when it receives an ARP
packet requesting for modifying a MAC address. Instead, the S3700 sends a unicast packet
for acknowledgment to the user matching this MAC address in the original ARP table.
The source IP address in the ARP packets is the same as the IP address of the interface that
receives the packets.
The source IP address in the ARP packets is the virtual IP address of the incoming interface
but the source MAC address of ARP packets is not the virtual MAC address of the Virtual
Router Redundancy Protocol (VRRP) group when the VRRP group is in virtual MAC
address mode.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
137