3.9 Maintaining DHCP Snooping.........................................................................................................................117

3.9.1 Clearing DHCP Snooping Statistics......................................................................................................117

3.9.2 Resetting the DHCP Snooping Binding Table......................................................................................118

3.10 Configuration Examples...............................................................................................................................118

3.10.1 Example for Preventing Bogus DHCP Server Attacks.......................................................................118

3.10.2 Example for Preventing DoS Attacks by Changing the CHADDR Field...........................................121

3.10.3 Example for Preventing Attackers from Sending Bogus DHCP Messages for Extending IP Address

Leases.............................................................................................................................................................123

3.10.4 Example for Limiting the Rate of Sending DHCP Messages.............................................................126

3.10.5 Example for Applying DHCP Snooping on a Layer 2 Network.........................................................129

4 ARP Security Configuration....................................................................................................134

4.1 ARP Security Overview.................................................................................................................................135

4.2 ARP Security Supported by the S3700...........................................................................................................136

4.3 Checking Source MAC Addresses of ARP Packets.......................................................................................138

4.4 Configuring Defense Against ARP DoS Attacks...........................................................................................139

4.4.1 Establishing the Configuration Task.....................................................................................................139

4.4.2 Configuring Source MAC Address-based ARP Packet Suppression....................................................141

4.4.3 Configuring Source Address based ARP Suppression..........................................................................141

4.4.4 Configuring Source-based ARP Miss Suppression...............................................................................142

4.4.5 Configuring Rate Limit of ARP Miss Packets......................................................................................143

4.4.6 Configuring Rate Limit of ARP Packets...............................................................................................145

4.4.7 Configuring the S3700 to Send Gratuitous ARP Packets......................................................................147

4.4.8 Checking the Configuration...................................................................................................................148

4.5 Configuring ARP Anti-Spoofing....................................................................................................................149

4.5.1 Establishing the Configuration Task.....................................................................................................149

4.5.2 Enabling Strict ARP Entry Learning.....................................................................................................151

4.5.3 Configuring Interface-based ARP Entry Restriction.............................................................................152

4.5.4 Preventing the ARP Address Spoofing Attack......................................................................................153

4.5.5 Preventing the ARP Gateway Duplicate Attack....................................................................................153

4.5.6 Preventing the Man-in-the-Middle Attack............................................................................................154

4.5.7 (Optional) Configuring the Function of Discarding IP Packets with the Same Source and Destination IP

Addresses........................................................................................................................................................155

4.5.8 Configuring DHCP to Trigger ARP Learning.......................................................................................155

4.5.9 Checking the Configuration...................................................................................................................156

4.6 Maintaining ARP Security..............................................................................................................................158

4.6.1 Displaying the Statistics About ARP Packets.......................................................................................158

4.6.2 Clearing the Statistics on ARP Packets.................................................................................................158

4.6.3 Clearing the Statistics on Discarded ARP Packets................................................................................158

4.6.4 Debugging ARP Packets.......................................................................................................................159

4.6.5 Enabling Log and Alarm Functions for Potential Attacks....................................................................159

4.7 Configuration Examples.................................................................................................................................160

4.7.1 Example for Configuring ARP Security Functions...............................................................................160

4.7.2 Example for Configuring ARP Anti-Attack to Prevent Man-in-the-Middle Attacks............................164

Issue 01 (2011-07-15)

Huawei Proprietary and Confidential

Contents

viii

Table of Contents