Configuring Arp Spoofing Attack Prevention; Arp Duplicate Gateway Attack Prevention; Introduction To Arp Duplicate Gateway Attack Prevention - H3C S9500 Series Operation Manual

Routing switches

Hide thumbs Also See for S9500 Series:

Command manual (1842 pages)

Operation manual (1504 pages)

Operating manual (76 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

Table of Contents

Operation Manual – ARP

H3C S9500 Series Routing Switches

3.1.2 Configuring ARP Spoofing Attack Prevention

Follow these steps to configure ARP spoofing attack prevention:

Enter system view

Configure ARP spoofing

attack prevention

Display the ARP spoofing

attack prevention

configuration

3.2 ARP Duplicate Gateway Attack Prevention

3.2.1 Introduction to ARP Duplicate Gateway Attack Prevention

ARP Packet:

SIP:192.168.1.1

Figure 3-2 ARP duplicate gateway attack

An attacker sends gratuitous ARP packets with the source IP address being the

gateway within the LAN. The internal hosts will then change the address of the gateway

to that of the attacker. As a result, the hosts are unable to access the network. Such an

attack is called an ARP duplicate gateway attack.

To prevent such attacks, S9500 series switches provide the duplicate gateway attack

prevention function. If any of the following conditions occurs, the system generates an

ARP attack prevention entry:

The source IP address of the ARP packet is the same as the IP address of the

receiving interface.

The source IP address of the ARP packet belongs to the NAT address pool or is

the same as one of the internal servers' IP address.

The source IP address of the ARP packet is the virtual IP address of the receiving

interface, but the source MAC address of the ARP packet is not the virtual MAC

address of the VRRP group.

Based on this entry, the switch discards those packets with the same source MAC

address within a certain period, thus preventing the ARP packets containing the

duplicate gateway address from being broadcasted within the VLAN.

To do...

system-view

arp entry-check

{ fixed-mac | fixed-all |

send-ack }

display arp entry-check

G:192.168.1.1/24

ARP Packet:

S IP:192.168.1.1

A:192.168.1.3

Chapter 3 ARP Attack Prevention Configuration

Use the command...

3-3

Remarks

—

Required

Disabled by default.

Available in any view

Table of Contents

Chapters

Table of Contents

Configuring Arp Spoofing Attack Prevention; Arp Duplicate Gateway Attack Prevention; Introduction To Arp Duplicate Gateway Attack Prevention - H3C S9500 Series Operation Manual

3.1.2 Configuring ARP Spoofing Attack Prevention

3.2 ARP Duplicate Gateway Attack Prevention

3.2.1 Introduction to ARP Duplicate Gateway Attack Prevention

Chapters

Troubleshooting

Related Manuals for H3C S9500 Series

Related Content for H3C S9500 Series

Table of Contents