Users are frequently disconnected from the LAN when the switch serves as a gateway

Description: The device serves as a gateway, and users in the LAN are frequently disconnected.

Products and versions involved:all products and versions

Fault description: The device serves as a gateway. Users in the LAN are frequently disconnected, and the device generates a large number of alarms about IP address conflicts.
ARP/4/ARP_DUPLICATE_IPADDR:Received an ARP packet with a duplicate IP address from the interface. (IpAddress=[IPADDR], InterfaceName=[STRING], MacAddress=[STRING])

Solution
1. Perform antivirus scanning on a PC.
2. Configure ARP gateway anti-collision on the device. After this function is enabled, the switch generates an ARP attack defense entry, and discards the packets of which the VLAN IDs or source MAC addresses match the entry within a period of time. This prevents the ARP packets conflicting with the gateway address from being broadcast in the VLAN.
system-view
[HUAWEI] arp anti-attack gateway-duplicate enable

Perform the following steps to analyze the causes:
1. Run the display logbuffer command in any view to check logs, and obtain the attacker's MAC address based on the MacAddress field.
display logbuffer
ARP/4/ARP_DUPLICATE_IPADDR:Received an ARP packet with a duplicate IP address from the interface. (IpAddress=[IPADDR], InterfaceName=[STRING], MacAddress=[STRING]).
2. Search the MAC address table based on the attacker’s MAC address to obtain the attack source port.
3. After the attack source is located, it is found that a user's PC on the LAN forges the gateway to send IP address requests to the devices in the same network segment. This is caused by the viruses on the PC.

Suggestion
The attacker sets the gateway address as the static IP address of the PC infected with viruses. The PC broadcasts gratuitous ARP packets on the LAN. After receiving the packets, other PCs modify their gateway ARP entries, and change the gateway MAC address as the attacker’s MAC address. This causes all users on the LAN to fail to access the network, interrupting network services.
When the attacker frequently sends gratuitous ARP packets with the source IP address as the gateway address, the gateway device receives the packets and sends notification to normal hosts on the LAN to claim the correct gateway address. However, the frequent switching of the host gateway MAC address may also cause network interruption.

Scroll to top