Got it

ADDRESS RESOLUTION PROTOCOL POISONING (ARP POISONING)

Latest reply: Jan 21, 2021 01:34:44 262 14 12 5


Address Resolution Protocol (ARP) poisoning(also known as ARP Spoofing):


Address Resolution Protocol (ARP) poisoning is when an attacker sends falsified ARP messages over a local area network (LAN) to link an attacker's MAC address with the IP address of a legitimate computer or server on the network. Once the attacker’s MAC address is linked to an authentic IP address, the attacker can receive any messages directed to the legitimate MAC address. As a result, the attacker can intercept, modify or block communicates to the legitimate MAC address.


AA

The term address resolution refers to the process of finding a MAC address that belongs to an assigned IP address for a computer in a network.

The address resolution protocol (ARP) is a protocol used by the Internet Protocol (IP), specifically IPv4, to map IP network addresses to the hardware addresses used by a data link protocol. The protocol operates below the network layer as a part of the interface between the OSI network and OSI link layer. It is used when IPv4 is implemented over Ethernet.



Configuring ARP Security:



Configuring defense against ARP flood attacks prevents ARP entries from being exhausted

and CPU overload.

Before configuring defense against ARP flood attacks, connect interfaces and set physical

parameters for the interfaces to ensure that the physical status of the interfaces is Up.




AR



Configuring Rate Limiting on ARP Packets based on Source MAC Addresses:



A large number of ARP packets with a fixed source MAC address and variable IP addresses

will cause the CPU of a device to be overloaded and exhaust ARP entries.



To prevent this problem, configure the gateway to limit the rate of ARP packets based on

MAC addresses. The gateway then collects statistics on ARP packets sent from certain MAC

addresses to the CPU. If the number of ARP packets received in one second from the

specified MAC address exceeds the threshold, the device discards the excess ARP packets.


Step 1

Run:

system-view

The system view is displayed.

Step 2

Configure rate limit on ARP packets based on source MAC addresses.

Run:

arp anti-attack rate-limit source-mac maximum maximum

The maximum rate of ARP packets from any source MAC address is set

Run:

arp anti-attack rate-limit source-mac mac-address maximum maximum

The maximum rate of ARP packets from the specified source MAC address is set.

Step 3

Run:

commit



Configuring Rate Limiting on ARP Packets based on Source IP Addresses:



When processing a large number of ARP packets with fixed IP addresses (for example, MAC

addresses or outbound interfaces that match a source IP address frequently change), the CPU

is overloaded and cannot process other services.

To prevent this problem, configure the gateway to limit the rate of ARP packets based on

source IP addresses. The gateway collects statistics on ARP packets from a specified source

IP address. If the number of ARP packets received in one second from the specified IP

address exceeds the threshold, the device discards the excess ARP packets.


Step 1

Run:

system-view

The system view is displayed.

Step 2

Configure rate limit on ARP packets based on source IP addresses.

Run:

arp anti-attack rate-limit source-ip maximum maximum

The maximum rate of ARP packets from any source IP address is set.

Run:

arp anti-attack rate-limit source-ip ip-address maximum maximum

The maximum rate of ARP packets from the specified source IP address is set.


Step 3

Run:

commit

The configuration is committed.



Configuring Rate Limit on ARP Packets based on the Destination IP Address:



When processing a large number of ARP packets with the same destination IP address, the

CPU is overloaded and cannot process other services.

To prevent this problem, limit the rate of ARP packets based on the destination IP address.

The device collects statistics on ARP packets with a specified destination IP address. If the

number of received ARP packets with the specified destination IP address per second exceeds

the threshold, the device discards the excess ARP packets.



Step 1

Run:

system-view

The system view is displayed.

Step 2

Run:

arp anti-attack rate-limit destination-ip maximum maximum

Rate limit on ARP packets based on the destination IP address is configured.

Step 3

Run:

commit

The configuration is committed.



Configuring Rate Limiting on ARP Packets Globally, in a VLAN, or on an

Interface:


When processing a large number of ARP packets, a device consumes many CPU resources

and cannot process other services. To protect CPU resources of the device, limit the rate of

ARP packets.

After rate limiting on ARP packets is enabled, set the maximum rate of ARP packets globally,

in a VLAN, or on an interface. If the number of ARP packets received each second exceeds

the limit, the device discards excess ARP packets.

-->Limiting the rate of ARP packets globally: limits the number of ARP packets processed

on the entire device.

-->Limiting the rate of ARP packets in a VLAN: limits the number of ARP packets to be

processed on all interfaces in a VLAN. The configuration in a VLAN does not affect

ARP entry learning on interfaces in other VLANs.

-->Limiting the rate of ARP packets on an interface: limits the number of ARP packets

processed on an interface. The configuration on an interface does not affect ARP entry

learning on other interfaces.

If the maximum rate is configured in the system view, VLAN view, and interface view at the

same time, the device uses the configurations in the interface view, VLAN view, and system

view in order.


Step 1

Run:

system-view

The system view is displayed.

Step 2 (Optional)

Run:

interface interface-type interface-number

or,

vlan vlan-id

The interface or VLAN view is displayed.

If you configure rate limiting on ARP packets in the system view, skip the preceding step.

Step 3

Run:

arp anti-attack rate-limit limit

Step 4

Run:

commit

The configuration is committed.


Configuring ARP Rate Limiting on All Interfaces:


When a device processes a large number of ARP packets, the CPU may be overloaded and

cannot afford other services. Therefore, the device needs to limit the rate of ARP packets to

protect CPU resources.

After the function of limiting ARP packet rate is enabled, you can run the commands in the

system view to set an ARP rate limit for all interfaces. If the number of ARP packets received

by an interface within one second exceeds the limit, the device discards the excess ARP

packets.

If the arp anti-attack rate-limit command has been executed in the system view, the rate

limit specified in the command is the upper limit for the total number of ARP packets on all

interfaces. If the arp anti-attack rate-limit interface command has been executed in the

system view, the rate limit specified in the command is the upper limit for the number of ARP

packets on each interface.



Step 1

Run:

system-view

The system view is displayed.

Step 2

Run:

arp anti-attack rate-limit interface limit

The rate limit for ARP packets is set.

By default, ARP rate limit on all interfaces is 0. That is, the ARP packet rate on all interface is

not limited.

Step 3

Run:

commit

The configuration is committed.




Monitoring ARP Running Status:

-->Run the display arp packet statistics [ interface [ interface-type interface-number ] ]

command to display ARP packet statistics.

-->Run the display arp anti-attack record command to display details about ARP packets

discarded when the number of ARP packets exceeds the limit.

-->Run the display arp miss anti-attack record command to display details about excess

ARP Miss messages discarded when the number of ARP Miss messages exceeds the

limit.


Clearing ARP Security Statistics:

-->Run the reset arp packet statistics [ interface [ interface-type interface-number ] ]

command to clear ARP packet statistics.

-->Run the reset arp anti-attack record command to clear details about excess ARP

packets discarded when the number of ARP packets exceeds the limit.

-->Run the reset arp miss anti-attack record command to clear details about excess ARP

Miss messages discarded when the number of ARP Miss messages exceeds the limit.



Example configuration from swicth:


#

sysname Switch

#

vlan batch 10 20 30

#

arp miss anti-attack rate-limit source-ip maximum

20

arp anti-attack rate-limit source-ip 10.9.9.2 maximum

10

arp miss anti-attack rate-limit source-ip 10.10.10.2 maximum

40

arp anti-attack rate-limit source-mac 0001-0001-0001 maximum

10

arp learning strict

arp anti-attack entry-check fixed-mac enable

arp anti-attack gratuitous-arp drop

#

interface Vlanif10

ip address 10.8.8.4

255.255.255.0

#

interface Vlanif20

ip address 10.9.9.4

255.255.255.0

#

interface Vlanif30

ip address 10.10.10.3

255.255.255.0

#

interface 10GE1/0/1

port link-type trunk

port trunk allow-pass vlan 10

arp limit vlan 10 20

#

interface 10GE1/0/2

port link-type trunk

port trunk allow-pass vlan 20

#

interface 10GE1/0/3

port link-type trunk

port trunk allow-pass vlan 30

#

return




@Adriale @andersoncf1 @Giandiego @Dragos_Voicila @wissal @Mohamed_Ahmed @Mohamed619 @user_3015189 @zaheernew @lucian2003 @Sara_Obaid @Moschino @PRAKASHROKA @roderick01 @Irina @Asifsd @Prime @Netflix @niko_makoni @Ansal @little_fish @Kevin_Thomas @EIGRP @user_4105683 @user_4105651 @olive.zhao @gululu @Saqib123 @albertsilva @Unicef @Ayeshaali @nochhie @Vien @evaaaa @NikoleT @Steffy @dengdengdeng @Becky_2019 @tesfama @Chenxintao @Lan59  

Sources: Huawei CE6800 SW Reference guide

  • x
  • convention:

Mohamed_Ahmed
MVE Created Jan 20, 2021 07:45:36 Helpful(2) Helpful(2)

well done.thx for sharing
View more
  • x
  • convention:

IndianKid
IndianKid Created Jan 24, 2021 09:53:07
thanks  
Irina
Admin Created Jan 20, 2021 08:02:49 Helpful(3) Helpful(3)

Awesome content!
View more
  • x
  • convention:

Community%20Manager%20of%20the%20English%20Huawei%20Enterprise%20Community%3Cbr%2F%3ELeading%20the%20MVE%20team
Mohamed619
Created Jan 20, 2021 08:36:46 Helpful(2) Helpful(2)

Useful Content Thanks For Sharing @Indiankid
View more
  • x
  • convention:

Adriale
Adriale Created Jan 20, 2021 15:06:59
:)  
IndianKid
IndianKid Created Jan 24, 2021 09:53:15
thanks  
Hello%20everyone
Kevin_Thomas
Created Jan 20, 2021 10:09:24 Helpful(3) Helpful(3)

Nice!
View more
  • x
  • convention:

Kevin_Thomas
Kevin_Thomas Created Jan 20, 2021 10:09:39
 
IndianKid
IndianKid Created Jan 24, 2021 09:53:22
thanks  
Asifsd
Created Jan 20, 2021 13:04:08 Helpful(3) Helpful(3)

wow, Really helpful. Thanks.
View more
  • x
  • convention:

Adriale
Created Jan 20, 2021 15:06:31 Helpful(2) Helpful(2)

Very good
View more
  • x
  • convention:

lucian2003
lucian2003 Created Jan 20, 2021 16:05:40
 
lucian2003
MVE Created Jan 20, 2021 16:05:24 Helpful(2) Helpful(2)

Interesting
View more
  • x
  • convention:

Hello%20friends%2C%20I%20am%20a%20Telecommunications%20and%20electronics%20engineer%20and%20I%20just%20graduated%20as%20a%20master%20in%20telecommunications%20systems.%20I%20am%2036%20years%20old%20and%20I%20attend%20the%20transport%20network%20in%20my%20province%2C%20which%20is%20mainly%20Huawei.
little_fish
Admin Created Jan 21, 2021 01:34:44 Helpful(1) Helpful(1)

Thank you.
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.