Introduction To Arp Attack Detection; Introduction To Proxy Arp - H3C S7500 Series Operation Manual
Hide thumbs
Also See for S7500 Series:
- Installation manual (79 pages) ,
- Operation manual (47 pages) ,
- Command manual (39 pages)
Table of Contents
Advertisement
Operation Manual – ARP
H3C S7500 Series Ethernet Switches
virtual routers to update the ARP entries on the device that is connected to the switch
and incapable of updating ARP entries actively.
If a small number of VLAN interfaces and VRRP backup groups are configured, it takes
a very time for the device to traverse all the VLAN interfaces and their IP addresses. If
the traffic loops without being limited, gratuitous ARP packets are sent to the same IP
address at an interval too short. This increases switch work load and network traffic. To
solve this problem, the device allows you to configure the gratuitous ARP update
interval.
1.1.6 Introduction to ARP Attack Detection
If an attacker sends an ARP message with a fake source IP address to a gateway, the
gateway adds the IP-to-MAC mapping into its ARP mapping table. The attacker may
send ARP messages with all the IP addresses of the network segment as the source IP
addresses to the gateway, causing other devices unable to access the network.
To guard against such attacks, S7500 series Ethernet switches support the ARP attack
detection feature. With this feature, you can limit the number of IP addresses to be
bound to a MAC address in a VLAN. If a MAC address is bound to more than the
specified number of IP addresses, it is considered an attacking MAC address.
Consequently, all the ARP messages containing the attacking MAC address as the
source MAC address will be discarded unless the ARP request is sent from the local
device.
1.1.7 Introduction to Proxy ARP
The proxy ARP function allows devices to forward ARP requests between host in
different networks and ARP requests from one host in a network to another host on an
isolated port in the same network, so as to provide Layer 3 connectivity between Layer
2 isolated ports.
To provide Layer 3 connectivity between ports in the following conditions, you need to
enable the proxy ARP function.
Super VLAN function is enabled on the S7500 switch.
The isolate-user-vlan function is enabled on Layer 2 switches connecting with the
S7500 switch.
1-5
Chapter 1 ARP Configuration
Advertisement
Chapters
Table of Contents
Troubleshooting
