Checking User-Side ARP Entries

Procedure

1. On a PC, for example, a PC running Windows, choose Start > Run, enter cmd, and run the arp -a command to display the ARP entries.

   <HUAWEI> arp -a 
   Interface: 10.10.10.150 --- 0xb 
     Internet address     Physical address      Type
     10.10.10.1           00-00-00-00-11-11    Dynamic
     10.10.10.23          00-00-00-00-22-22    Dynamic
     10.10.10.255         ff-ff-ff-ff-ff-ff    Dynamic
   

   1. The ARP entry of gateway is modified.

      If the gateway ARP entry on the PC does not match the IP or MAC address of the gateway, a device on the internal network may have a conflicting IP address with the gateway or the switch undergoes an ARP bogus gateway attack. Perform the following operations:

      1. Check whether a device (such as PC, server, router, or AP) on the internal network has a conflicting IP address with the gateway.

         If the IP addresses conflicts, change the IP address of the device. If no IP address conflict occurs, obtain packet information on the PC to analyze the source IP addresses of ARP packets. Find out the attacker, scan virus or uninstall the attack tool on the attacker. Alternatively, configure attack defense on the gateway.

      2. Enable ARP gateway anti-collision and sending of gratuitous ARP packets on the gateway.

         <HUAWEI> system-view  
         [HUAWEI] arp anti-attack gateway-duplicate enable //Enable ARP gateway anti-collision.
         [HUAWEI] arp gratuitous-arp send enable  //Enable the sending of gratuitous ARP packets.
         

      NOTE:

      • After ARP gateway anti-collision is enabled, the switch generates an ARP attack defense entry, and discards the packets of which the VLAN IDs or source MAC addresses match the entry within a period of time. This prevents the ARP packets conflicting with the gateway address from being broadcast in the VLAN.

        When receiving an ARP packet, the switch considers that the packet conflicts with the gateway address in either of the following situations:

        • The source IP address in the ARP packet is the same as the IP address of the VLANIF interface matching the inbound interface.
        • The source IP address of the ARP packet is the virtual IP address of the inbound interface, but the source MAC address is not the VRRP virtual MAC address.

      • After sending of gratuitous ARP packets is enabled, the switch periodically updates the ARP entries of authorized users, so that the correct gateway address mapping is recorded in the authorized users' ARP entries. After this function is enabled, the switch sends a gratuitous ARP packet every 60 seconds.

   2. The ARP entries of other users are modified.

      If the gateway ARP entry in a user's ARP entry does not match the IP or MAC address of the gateway, obtain packet information, find out the attack source, and eliminate the attack source or configure dynamic ARP inspection on the gateway.

      • If a PC uses a static IP address, create a static binding entry and configure dynamic ARP inspection.

        <HUAWEI> system-view 
        [HUAWEI] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 //Create a binding entry.
        [HUAWEI] user-bind static ip-address 10.0.0.11 mac-address 0002-0002-0002 
        [HUAWEI] interface gigabitethernet 0/0/1 //Enable dynamic ARP inspection on the interface connected to PC.
        [HUAWEI-GigabitEthernet0/0/1] arp anti-attack check user-bind enable  
        [HUAWEI-GigabitEthernet0/0/1] quit
        

      • If a PC uses a dynamic IP address, enable DHCP snooping. When the DHCP client goes online, the switch generates a DHCP snooping binding entry for the client. Configure dynamic ARP inspection as follows:

        <HUAWEI> system-view 
        [HUAWEI] dhcp enable //Enable DHCP globally.
        [HUAWEI] dhcp snooping enable //Enable DHCP Snooping globally.
        [HUAWEI] vlan 10 //Enter the VLAN where dynamic ARP inspection needs to be enabled.
        [HUAWEI-vlan10] dhcp snooping enable //Enable DHCP snooping in the VLAN.
        [HUAWEI-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/3 //Configure the interface connected to DHCP server to as a trusted interface. If the switch functions as a DHCP server, this command is not required.
        [HUAWEI-vlan10] arp anti-attack check user-bind enable //Enable dynamic ARP inspection in the VLAN.
        [HUAWEI-vlan10] quit 
        

      After DHCP snooping is enabled, an entry is generated only after the PC obtains an IP address again. When the binding entry is not generated, all ARP entries from the PC are discarded. (To allow the PC to obtain an IP address quickly, disable and enable the network adapter on the PC.)

      NOTE:

      Dynamic ARP inspection uses a binding table to prevent man-in-the-middle attack. Before forwarding an ARP packet, the switch compares the source IP address, source MAC address, VLAN ID, and interface number in the packet with entries in the binding table. If an entry is matched, the switch considers the packet valid and forwards it. Otherwise, the switch considers the packet an attack packet and discards it.