After I Enable ARP Gateway Anti-Collision, and Send Gateway Collision ARP Packets from a MAC Address, Why Can the MAC Address Not Forward Traffic

10

After the Address Resolution Protocol (ARP) anti-collision function detects gateway collision ARP packets, the system prohibits the source media access control (MAC) address from forwarding packets for three minutes.

Other related questions:
After the ARP gateway conflict function is enabled, why cannot traffic be forwarded based on the MAC address that is used to send ARP gateway conflict packets
After the ARP gateway conflict function detects the conflict ARP packets, the function will forbid all packets containing this source MAC address. The limit will be cancelled three minutes later.

ARP anti-spoofing configuration on S series switch
The S series switch, except S1700, provides various methods to prevent ARP spoofing attacks. Dynamic ARP inspection (DAI) This function applies to the network where DHCP snooping is configured. It is recommended to configure DAI on the access switches.DAI can prevent man-in-the-middle attacks. # Enable DAI on GE 1/0/1. [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] arp anti-attack check user-bind enable # Enable DAI in VLAN 100. [HUAWEI] vlan 100 [HUAWEI-vlan100] arp anti-attack check user-bind enable - Configure fixed ARP. To prevent ARP spoofing attacks, configure fixed ARP on the gateway. # Enable fixed ARP in fixed MAC mode. [HUAWEI] arp anti-attack entry-check fixed-mac enable - Configure ARP gateway anti-collision (available on only S5720SI/S5720S-SI, S5720EI, S5720HI, S6720EI, and modular switches). When user hosts are directly connected to the gateway, configure this function on the gateway. # Enable ARP gateway anti-collision. [HUAWEI] arp anti-attack gateway-duplicate enable - Configure the switch to actively discard gratuitous ARP packets (only available on modular switches). If you confirm that the gratuitous ARP packets are from attackers, enable the gateway to actively discard gratuitous ARP packets. # Enable the switch to actively discard gratuitous ARP packets globally. [HUAWEI] arp anti-attack gratuitous-arp drop

DAI is enabled on an S series switches, and the source MAC address of an ARP packet is checked against the source MAC address in an Ethernet frame header. Why can an ARP packet with its source MAC address different from that in the Ethernet frame header pass the check
For S series switcheses: In versions earlier than V200R001, a DAI-enabled switch checks ARP packets based on ACL rules delivered to the chip. However, the ARP packet must be sent to the CPU, and the check of the source MAC address in the ARP packet and that in the Ethernet frame header is performed by software. After the DAI check, the packet is not sent to the CPU, so the source MAC address in the ARP packet and that in the Ethernet frame header are not checked. In V200R001 and later versions, a DAI-enabled switch checks ARP packets using software. The ARP packet with its source MAC address different from that in the Ethernet frame header is discarded.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top