Checking ARP Entries on the Gateway

Procedure

1. Run the display arp all command on the gateway to check whether the ARP entry contents are correct, including the mappings between IP addresses, MAC addresses, and ports.

   <HUAWEI> display arp all 
   IP ADDRESS      MAC ADDRESS  EXPIRE(M) TYPE INTERFACE      VPN-INSTANCE        
                                          VLAN  
   ------------------------------------------------------------------------------ 
   10.10.10.1    0000-0000-1111           I -  Vlanif1 
    
   10.10.10.10   0000-0000-1234  20       D-0  GE0/0/1 
                                          1 
   ------------------------------------------------------------------------------ 
   Total:2         Dynamic:1       Static:0    Interface:1  
   

   If the ARP entry contents are correct, see Checking User-Side ARP Entries; otherwise, the switch undergoes an ARP spoofing gateway attack. Obtain packet information and find out the attack source. Eliminate the attack source or configure attack defense on the gateway.

   1. Obtain packet information to find out the attack source.

      Obtain packet information on the user-side interface, and analyze the source address in ARP packets. Scan virus or uninstall the attack tool on the attacker, or configure blackhole MAC entry or blacklist to discard the packets from the attack source.

      Example: Configure a blackhole MAC entry to discard the packets sent from the attack source.

      <HUAWEI> system-view 
      [HUAWEI] mac-address blackhole 0000-0000-0023 
      

   2. Configure attack defense on the gateway.
      • If a few users are connected, configure static ARP entries (binding MAC addresses and IP addresses) to prevent the IP addresses from being used by unauthorized users.

        <HUAWEI> system-view 
        [HUAWEI] arp static 10.10.10.10 0000-0000-1234 
        

      • If many users are connected, configure ARP entry fixing.

        <HUAWEI> system-view 
        [HUAWEI] arp anti-attack entry-check fixed-mac enable 
        

      NOTE:

      There are three ARP entry fixing modes:

      • fixed-all: When receiving an ARP packet, the switch discards the packet if the MAC address, interface number, or VLAN ID does not match an entry in the ARP table. This mode applies to networks where user MAC addresses and user access locations are fixed.

      • fixed-mac: When receiving an ARP packet, the switch discards the packet if the MAC address does not match the MAC address in the corresponding ARP entry. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the switch updates the interface number or VLAN ID in the ARP entry. This mode applies to networks where user MAC addresses are unchanged but user access locations often change.

      • send-ack: When the switch receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry. Instead, the switch sends a unicast ARP request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user. This mode applies to networks where user MAC addresses and user access locations often change.