No. Data
1 Check item in ARP packets
2 (Optional) Alarm threshold for discarded
ARP packets because they do not match the
binding table
3 (Optional) Interval at which gratuitous ARP
packets are sent
6.4.2 Configuring ARP Anti-spoofing
This section describes how to configure ARP anti-spoofing.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable
ARP anti-spoofing is enabled.
You can use only one ARP anti-spoofing mode at one time. If you run the arp anti-attack entry-
check command multiple times, only the latest configuration takes effect.
By default, ARP anti-spoofing is disabled on the AR1200-S.
----End
6.4.3 Configuring the AR1200-S to Check Source MAC Address
Consistency in ARP Packets
The AR1200-S checks validity of ARP packets and discards invalid ARP packets to defend
against ARP attacks.
Context
By default, the AR1200-S checks the following items of ARP packets:
l Packet length
l Validity of source and destination MAC addresses in the Ethernet header
l VLAN tag
l Packet type (The type field value must be 1 or 2.)
l Hardware address length
l IP address length
l Whether the ARP packet is encapsulated in an Ethernet frame
Huawei AR1200-S Series Enterprise Routers
Configuration Guide - Security 6 ARP Security Configuration
Issue 02 (2012-03-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
132
To Next Page
Loading...
