Does ARP attack in one VLAN affect other VLANs on S series switch

8

On an S series switch, except S1700, when a VLAN suffers an ARP attack, such as ARP flood or ARP spoofing attack, the gateway cannot correctly learn ARP entries, causing a forwarding error. Packet forwarding in other VALNs is also affected.
For example, when an ARP flood attack occurs in VLAN 10 (the gateway receives many ARP packets causing a high CPU usage), user services in other VLANs are affected.

Other related questions:
Precautions for enabling intra-VLAN proxy ARP and inter-VLAN proxy ARP on S series switches
For S series switches (except S1700 switches): Different from routed proxy ARP, intra-VLAN proxy ARP and inter-VLAN proxy ARP check whether VLAN information at both ends complies with proxy requirements based on the ARP entries of source and destination IP addresses. Therefore, if the ARP entry of a destination IP address does not exist, the device broadcasts an ARP Request packet to all devices on the VLAN (including all sub VLANs in the super VLAN) to request them to learn this ARP entry. If the proxy function is enabled on multiple switches on a network but the destination IP address does not exist, the ARP broadcast packet will trigger the same proxy process on other switches, and a severe broadcast storm may occur.

How to configure ARP attack defense on S series switches
For S series switches (except S1700 switches), you can configure ARP security to prevent ARP attacks. A switch may receive a large number of ARP packets when acting as a gateway. In this case, configure ARP security on the switch to protect the gateway. For example, configure the rate limit on ARP packets and ARP Miss messages to prevent ARP flood attacks. E series switches do not support the rate limit on ARP Miss messages. Common ARP attacks include: ARP flood attack is also called Denial of Service (DoS) attack. ARP spoofing attack: An attacker sends bogus ARP packets to network devices. The devices then modify ARP entries, causing communication failures. ARP security protects network devices against ARP attacks by learning ARP entries, limiting the ARP packet rate, and checking ARP packets. In addition to preventing ARP protocol attacks, ARP security also prevents ARP-based network scanning attacks.

Introduction to Native Vlan
Introduction to Native VLAN: Native VLAN is equivalent to the default VLAN of interfaces. When receiving an untagged packet, the interface adds a Native VLAN tag to the packet. When sending a Native tag VLAN packet, the interface removes the tag. The default VLAN is called PVID VLAN for Huawei switches and Native VLAN for switches of other vendors.

Subnet-based VLAN assignment on S series switch
Example of configuring IP subnet-based VLAN assignment for S series switches (except S1700 switches): 1. Configuration roadmap 1) Create VLANs, and add an interface to the VLANs so that the interface allows packets of IP subnet-based VLANs to pass through. 2) Enable IP subnet-based VLAN assignment on the interface, and associate IP subnets with the VLANs, so that the switch can determine the VLANs to which received packets belong according to the source IP addresses or specified subnets in the packets. 2. Configuration procedure 1) Create VLANs. [HUAWEI] vlan batch 100 200 //Create VLAN100 and VLAN 200. 2) Configure an interface. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type hybrid //Set the interface type to hybrid. [HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200 //Add the interface to VLAN 100 and VLAN 200 in untagged mode. [HUAWEI-GigabitEthernet0/0/1] ip-subnet-vlan enable //Enable IP subnet-based VLAN assignment on the interface. [HUAWEI-GigabitEthernet0/0/1] quit 3) Associate IP subnets with VLANs. [HUAWEI] vlan 100 [HUAWEI-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2 //Associate IP subnet 192.168.1.2/24 with VLAN 100 and set the 802.1p priority of VLAN 100 to 2. [HUAWEI-vlan100] quit [HUAWEI] vlan 200 [HUAWEI-vlan200] ip-subnet-vlan 1 ip 192.168.2.2 24 priority 3 [HUAWEI-vlan200] quit

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top