Huawei Quidway S3700 Series Configuration Manual page 174

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Figure 4-1 Networking diagram for configuring ARP security functions
Server
VLAN10
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
5.
6.
7.
Data Preparation
To complete the configuration, you need the following data:
l
l
l
l
l
l
l
Issue 01 (2011-07-15)
Ethernet0/0/3
Ethernet0/0/1
User1 User2
Enable strict ARP learning.
Enable interface-based ARP entry restriction.
Enable the ARP anti-spoofing function.
Enable the ARP anti-attack function for preventing ARP packets with the bogus gateway
address.
Configure the rate suppression function for ARP packets.
Configure the rate suppression function for ARP Miss packets.
Enable log and alarm functions for potential attacks.
Number of limited ARP entries on the interface being 20
Anti-spoofing mode used to prevent attacks that is initiated by User 1 being fixed-mac
IP address of the server being 2.2.2.2/24
IP address of User 4 that sends a large number of ARP packets being 2.2.4.2/24
Maximum suppression rate for ARP packets of User 4 being 10 pps and maximum
suppression rate for ARP packets of other users being 15 pps
Maximum suppression rate for ARP Miss packets of common users being 20 pps and
maximum suppression rate for ARP Miss packets on the server being 50 pps
Interval for writing an ARP log and sending an alarm being 300 seconds
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Switch
Ethernet0/0/2
VLAN20
User4
User3
4 ARP Security Configuration
161