Users are frequently disconnected from the LAN when the switch serves as a gateway

9

Description: The device serves as a gateway, and users in the LAN are frequently disconnected.

Products and versions involved:all products and versions

Fault description: The device serves as a gateway. Users in the LAN are frequently disconnected, and the device generates a large number of alarms about IP address conflicts.
ARP/4/ARP_DUPLICATE_IPADDR:Received an ARP packet with a duplicate IP address from the interface. (IpAddress=[IPADDR], InterfaceName=[STRING], MacAddress=[STRING])

Solution
1. Perform antivirus scanning on a PC.
2. Configure ARP gateway anti-collision on the device. After this function is enabled, the switch generates an ARP attack defense entry, and discards the packets of which the VLAN IDs or source MAC addresses match the entry within a period of time. This prevents the ARP packets conflicting with the gateway address from being broadcast in the VLAN.
system-view
[HUAWEI] arp anti-attack gateway-duplicate enable

Perform the following steps to analyze the causes:
1. Run the display logbuffer command in any view to check logs, and obtain the attacker's MAC address based on the MacAddress field.
display logbuffer
ARP/4/ARP_DUPLICATE_IPADDR:Received an ARP packet with a duplicate IP address from the interface. (IpAddress=[IPADDR], InterfaceName=[STRING], MacAddress=[STRING]).
2. Search the MAC address table based on the attacker’s MAC address to obtain the attack source port.
3. After the attack source is located, it is found that a user's PC on the LAN forges the gateway to send IP address requests to the devices in the same network segment. This is caused by the viruses on the PC.

Suggestion
The attacker sets the gateway address as the static IP address of the PC infected with viruses. The PC broadcasts gratuitous ARP packets on the LAN. After receiving the packets, other PCs modify their gateway ARP entries, and change the gateway MAC address as the attacker’s MAC address. This causes all users on the LAN to fail to access the network, interrupting network services.
When the attacker frequently sends gratuitous ARP packets with the source IP address as the gateway address, the gateway device receives the packets and sends notification to normal hosts on the LAN to claim the correct gateway address. However, the frequent switching of the host gateway MAC address may also cause network interruption.

Other related questions:
Can low-end S series switches serve as gateways
You are not advised to use switches including the S2700 series, S5700LI, and S5700S-LI as gateways. The S2700 series, S5700LI, and S5700S-LI switches are Layer 2 switches. If they are used as gateways, they send all packets that need to be forwarded at Layer 3 to the CPU for software forwarding. This causes a high CPU usage. Because CAR parameters are configured to protect the CPU, a large number of packets are dropped, affecting forwarding of service packets. Therefore, it is recommended that you use high-end Layer 3 switches as gateways.

Failed to connect to the U1900 series unified gateway using Telnet
If you fail to connect to the U1900 series unified gateway using Telnet, the Telnet service is not enabled. You can enable the Telnet service using either of the following methods: - CLI Log in to the U1900 series unified gateway through the serial port or using SSH and run the config telnet switch on command to enable the Telnet service. - Web Open a web browser and enter https://Gateway IP address in the address box. On the gateway web page, click Enter management system and log in (user name: admin; password: Change_Me). Choose System > Telnet Service > Configure, select On, and click Save. Telnet is an insecure communication protocol. Disable it immediately when it is not needed.

How are users forcibly disconnected from the AR router
When online users are unauthorized, the number of online users reaches the maximum, or AAA services need to be configured, you can force online users to go offline by specifying the domain name, interface, IP address, MAC address, slot ID, and user group. The configuration is as follows: 1. Run the display access-user command in any view to check online users who need to be disconnected forcibly. 2. Run the cut access-user { domain domain-name | interface interface-type interface-number [ vlan vlan-id [ qinq qinq-vlan-id ] ] | ip-address ip-address [ vpn-instance vpn-instance-name ] | mac-address mac-address | slot slot-id | ssid ssid-name | user-group group-number | user-id begin-number [ end-number ] } command in the AAA view to force users to go offiline based on the specified domain name, interface, IP address, MAC address, slot ID and user group.

When the U1960 serves as the trunk gateway, how do external calls be directly connected to extensions on the registration gateway?
On the U1960 trunk gateway, configure a prefix (local call prefix) for the long number of a user on the registration gateway. The office route selection code used by the prefix is the same as that of the office route between the trunk gateway and the registration gateway. Note: The U1960 trunk gateway is used to forward the call request from the PSTN to the registration gateway of a user. To achieve so, the local call prefix for the called number must be configured on the U1960.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top