Huawei Quidway S3700 Series Configuration Manual page 178

Quidway S3700 Series Ethernet Switches
Configuration Guide - Security
Figure 4-2 Networking diagram for prevent man-in-the-middle attacks
Attacker
Configuration Roadmap
The configuration roadmap is as follows:
1.
2.
3.
4.
Data Preparation
To complete the configuration, you need the following data:
l
l
l
l
Procedure
Step 1 Configure the IP source guard function.
# Enable the IP source guard function on Ethernet 0/0/1 connected to the client.
[Quidway] interface ethernet 0/0/1
[Quidway-Ethernet0/0/1] arp anti-attack check user-bind enable
[Quidway-Ethernet0/0/1] arp anti-attack check user-bind check-item ip-address mac-
address vlan
# Enable the IP source guard function on Ethernet 0/0/2 connected to the attacker.
[Quidway] interface
[Quidway-Ethernet0/0/2] arp anti-attack check user-bind enable
[Quidway-Ethernet0/0/2] arp anti-attack check user-bind check-item ip-address mac-
address vlan
Issue 01 (2011-07-15)
Switch
Ethernet0/0/2
Ethernet0/0/1
IP:10.0.0.1/24
MAC:1-1-1
VLAN ID:10
Client
Enable the IP source guard function.
Configure the check items for ARP packets.
Configure a static binding table.
Enable the alarm function for discarded packets.
Interfaces enabled with IP source guard: Ethernet 0/0/1 and Ethernet 0/0/2
Check items: IP address + MAC address + VLAN
Alarm threshold of the number of discarded ARP packets: 80
IP address of the client configured in the static binding table: 10.0.0.1/2; MAC address:
1-1-1; VLAN ID: 10
0/0/2
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 ARP Security Configuration
Server
165