S1720, S2700, S5700, and S6720 Series Ethernet

Switches
Configuration Guide - Security 7 ARP Security Configuration

7 ARP Security Configuration

About This Chapter

This chapter describes the implementation and configuration methods of ARP

security and provides configuration examples.

7.1 Overview of ARP Security

7.2 ARP Security Solutions
7.3 Understanding ARP Security
7.4 Application Scenarios for ARP Security
7.5 Licensing Requirements and Limitations for ARP Security
7.6 Default Settings for ARP Security
7.7 Configuring Defense Against ARP Flood Attacks
7.8 Configuring Defense Against ARP Spoofing Attacks
7.9 Maintaining ARP Security
7.10 Configuration Examples for ARP Security
7.11 FAQ About ARP Security

7.1 Overview of ARP Security

Definition
Address Resolution Protocol (ARP) security prevents ARP attacks and ARP-based
network scanning attacks using a series of methods such as strict ARP learning,
dynamic ARP inspection (DAI), ARP anti-spoofing, and rate limit on ARP packets.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 290

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Purpose
ARP is easy to use but lacks security protection mechanisms. Attackers may use
ARP to attack network devices. The following ARP attacks exist on networks:
● ARP flood attack: ARP flood attacks, also called denial of service (DoS)
attacks, occur in the following scenarios:
– Processing ARP packets and maintaining ARP entries consume system
resources. Network devices limit the number of stored ARP entries to
improve ARP entry query efficiency. Attackers send a large number of
bogus ARP packets with variable source IP addresses to consume ARP
entries on a target device. Therefore, the target device cannot generate
ARP entries when receiving ARP packets from authorized users.
Consequently, communication is interrupted.
– Attackers send a large number of IP packets with unresolvable
destination IP addresses to scan the hosts on the local or remote network
segments. The target devices generate many ARP Miss messages and
deliver many temporary ARP entries. In addition, the target devices
broadcast a large number of ARP Request packets to resolve the
destination IP addresses of the IP packets received from attackers. These
operations cause CPU overloading.
● ARP spoofing attack: Attackers send bogus ARP packets to target devices,
causing these devices to modify the ARP entries of other network devices or
user hosts. As a result, these network devices or user hosts cannot
communicate with one another other.
ARP attacks cause the following problems:
● Network connections are unstable and communication is interrupted.
● Attackers initiate ARP spoofing attacks to intercept user packets and thus
obtain the accounts and passwords of the users, for example, game, online
banking, and file server accounts and passwords, leading to losses for
customers.
To address the preceding problems, ARP security can be deployed.

Benefits
● Reduces maintenance costs for network operating and security.
● Provides users with stable services on a secure network.

7.2 ARP Security Solutions

You need to select a proper ARP security solution depending on the attack type
and symptoms, as described in Table 7-1 and Table 7-2.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 291

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Table 7-1 ARP security solutions to ARP flood attacks

Symptom Identificati Anti-Attack Function Deployment
on Function Description

● Network ● A large Rate limit Limits the rate of You are

access number on ARP ARP packets, advised to
speed is of ARP packets ensuring that the enable this
slow, packets device has function on
users are are sufficient CPU the gateway.
disconne discarde resources to NOTE
cted, d process other When an
network (accordin services when access device
access is g to the receiving a large is enabled with
MAC-Forced
frequentl display number of ARP
Forwarding
y cpu- packets. (MFF), the
interrupt defend MFF module
ed, users statistics may forward
cannot packet- too many ARP
access type packets with
the destination
the { arp-
IP addresses
network, request | that are
or arp- different from
services reply } the IP address
are all of the
interrupt comman interface
receiving these
ed. d
packets, which
● The output). leads to CPU
device ● There overload. To
fails to are logs resolve this
learn problem, limit
or
the rate of
some alarms ARP packets
ARP indicatin globally, in a
entries g that VLAN, or on
because the rate an interface.
of a high of ARP
CPU packets
usage or exceeds
is the
disconne upper
cted limit on
from the the
NMS, the device.
attached
devices
are
disconne
cted
from the
network,
the
device

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 292

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Symptom Identificati Anti-Attack Function Deployment

on Function Description
frequentl ● A large Rate limit Limits the rate of You are
y number on ARP ARP Miss messages advised to
alternate of ARP Miss to defend against enable this
s packets messages attacks from a function on
between are large number of IP the gateway.
master discarde packets with
and d unresolvable
slave (accordin destination IP
states, or g to the addresses, ensuring
its display that the device has
interface cpu- sufficient CPU
indicator defend resources to
s blink statistics process other
fast red. packet- services.
● Ping type
response arp-miss
s are all
delayed, comman
packets d
are lost, output).
or the ● The
ping device
operatio generate
n fails. s a log
or an
alarm
indicatin
g that
the rate
of ARP
Miss
message
s exceeds
the
upper
limit.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 293

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Symptom Identificati Anti-Attack Function Deployment

on Function Description

In capturing ARP reply This function You are

packets, optimizatio improves the advised to
you find n stack's capability of configure this
that the defending against function on
device is ARP flood attacks. the stack that
receiving a After ARP reply is used as the
lot of ARP optimization is gateway.
packets configured, the
whose standby/slave
destination switch directly
IP address is returns an ARP
the device Reply packet when
IP address. receiving an ARP
Request packet of
which the
destination IP
address is the local
interface address.

A large Strict ARP Allows the device You are

number of learning to learn only ARP advised to
ARP packets entries for ARP enable this
are Reply packets in function on
discarded response to ARP the gateway.
(according Request packets
to the that it has sent.
display This prevents ARP
cpu-defend entries from being
statistics exhausted by
packet- invalid ARP
type { arp- packets.
request |
arp-reply } ARP entry Limits the You are
all limitation maximum number advised to
command of dynamic ARP enable this
output). entries that can be function on
learned by an the gateway.
interface on the
device, preventing
ARP entries from
being exhausted
when a host
connected to the
interface attacks
the device.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 294

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Symptom Identificati Anti-Attack Function Deployment

on Function Description

Disabling Disables an You are

ARP interface from advised to
learning on learning ARP enable this
interfaces entries, preventing function on
ARP entries from the gateway.
being exhausted
when a host
connected to the
interface attacks
the device.

Table 7-2 ARP security solutions to ARP spoofing attacks

Symptom Identificati Anti-Attack Function Deployment
on Function Description

● Users are Fixed ARP After the device You are

disconne with this function advised to
cted, enabled learns an enable this
network ARP entry for the function on
connecti first time, it does the gateway.
ons are not update or
frequentl updates only part
y of the ARP entry, or
interrupt sends a unicast
ed, users You run the ARP Request packet
cannot display arp to validate the ARP
access all packet for updating
the command the entry.
network, to find that
the user This ensures that
or valid ARP entries
services ARP entries
are will not be replaced
are by attackers using
interrupt modified.
forged ARP packets.
ed.
The device supports
● Ping three ARP entry
packets fixing modes: fixed-
are lost, all, fixed-mac, and
or the send-ack.
ping
operatio
n fails.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 295

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Symptom Identificati Anti-Attack Function Deployment

on Function Description

● Network When Dynamic Allows a device to You are

access checking ARP compare the source advised to
speed is user ARP inspection IP address, source enable this
low. entries, you MAC address, function on an
● Ping find that interface number, access device.
response the ARP and VLAN ID of an NOTE
s are entry of the ARP packet with When ARP
delayed, peer user DHCP snooping learning
communica binding entries. If triggered by
or DHCP is
packets ting with an entry is
enabled on the
are lost. the local matched, the gateway, this
user is device considers function can
modified. the ARP packet be enabled on
valid and allows the gateway.
the packet to pass
through. If no entry
is matched, the
device considers
the ARP packet
invalid and discards
the packet.
This function is
available only for
DHCP snooping
scenarios.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 296

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Symptom Identificati Anti-Attack Function Deployment

on Function Description

● Users are ● When ARP Prevents gateway You are

disconne checking gateway ARP entries on advised to
cted, user ARP anti- hosts from being enable this
network entries, collision modified by function on
connecti you find attackers using the gateway.
ons are that the bogus gateway IP
frequentl gateway' addresses.
y s ARP
interrupt entry is
ed, users modified
cannot .
access ● There
the are
network, gateway
or conflict
services logs or
are alarms
interrupt on the
ed. device.
● The
device is
disconne
cted
from an
NMS, an
attached
device is
disconne
cted, or
the
gateway
address
conflicts
occur.
● Ping
packets
are lost,
or the
ping
operatio
n fails.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 297

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Symptom Identificati Anti-Attack Function Deployment

on Function Description

● Network When Gratuitous Allows the device You are

access checking ARP packet used as the advised to
speed is user ARP sending gateway to enable this
slow, entries, you periodically send function on
users are find that ARP Request the gateway.
disconne the ARP packets whose
cted, entries of destination IP
network the address is the
access is gateway or device IP address to
frequentl peer user update the
y communica gateway MAC
interrupt ting with address in ARP
ed, users the local entries. This
cannot user are function ensures
access modified. that packets of
the authorized users
network, are forwarded to
or the gateway and
services prevents hackers
are from intercepting
interrupt these packets.
ed.
● Ping
response
s are
delayed,
packets
are lost,
or the
ping
operatio
n fails.

● Network You run the MAC Defends against You are

access display arp address attacks from bogus advised to
speed is all consistency ARP packets in enable this
slow, command check in an which the source function on
users are to find that ARP packet and destination the gateway.
disconne the user MAC addresses are
cted, ARP entries different from
network are those in the
access is modified. Ethernet frame
frequentl header.
y
interrupt
ed, users
cannot
access
the

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 298

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Symptom Identificati Anti-Attack Function Deployment

on Function Description

network, In capturing ARP packet Allows the device You are

or packets, validity to filter out packets advised to
services you find check with invalid MAC enable this
are that invalid addresses or IP function on
interrupt packets are addresses. The the gateway
ed. sent to device checks ARP or an access
● The initiate ARP packets based on device.
device is spoofing source MAC
disconne attacks. addresses,
cted destination MAC
from an addresses, or IP
NMS, an addresses.
attached
You run the Strict ARP Allows the device You are
device is
display arp learning to learn only ARP advised to
disconne
all entries for ARP enable this
cted, or
command Reply packets in function on
the
to find that response to ARP the gateway.
gateway
the user Request packets
address
ARP entries that it has sent.
conflicts
are This prevents the
occur.
modified. device from
● Ping incorrectly
response updating ARP
s are entries for the
delayed, received bogus ARP
packets packets.
are lost,
or the
ping
operatio
n fails.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 299

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Symptom Identificati Anti-Attack Function Deployment

on Function Description

● Network When ARP Allows the device You are

access checking learning to generate ARP advised to
speed is user ARP triggered by entries based on enable this
slow, entries in DHCP received DHCP ACK function on
users are DHCP packets. When the gateway.
disconne snooping many DHCP users
cted, scenarios, connect to a
network you find network device, the
access is that the device needs to
frequentl ARP table learn and maintain
y of the peer many ARP entries,
interrupt user affecting device
ed, users communica performance. This
cannot ting with function prevents
access the local this problem.
the user is You can also
network, modified. configure DAI to
or prevent ARP entries
services of DHCP users from
are being modified
interrupt maliciously.
ed.
● Ping
response
s are
delayed,
packets
are lost,
or the
ping
operatio
n fails.

7.3 Understanding ARP Security

7.3.1 Rate Limiting on ARP Packets

When a device is busy with a large number of ARP packets, the CPU may be
incapable of processing other services. To protect CPU resources of the device,
limit the rate of ARP packets.

The device provides the following measures for limiting the rate of ARP packets:

● Limiting the rate of ARP packets based on source MAC addresses or source IP
addresses

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 300

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

When detecting that a user host has sent a large number of ARP packets in a
short period, the device limits the rate of ARP packets sent from the source
MAC address or source IP address of this user host. If the number of ARP
packets received per second exceeds the threshold, the device discards the
excess ARP packets.
– Limiting the rate of ARP packets based on source MAC addresses: If a
MAC address is specified, the device limits the rate of ARP packets from
the specified source MAC address; otherwise, the device limits the rate of
ARP packets from any source MAC address.
– Limiting the rate of ARP packets based on source IP addresses: If an IP
address is specified, the device limits the rate of ARP packets from the
specified source IP address; otherwise, the device limits the rate of ARP
packets from any source IP address.
● Limiting the rate on ARP packets globally, in a VLAN, or on an interface
The maximum rate and rate limiting duration of ARP packets can be set
globally, in a VLAN, or on an interface. The configurations set in the interface
view take precedence over those set in the VLAN view, and those set in the
VLAN view take precedence over those set in the system view.
In addition, the duration for blocking ARP packets can be set on an interface.
The device then discards ARP packets that exceed the permitted maximum
number of ARP packets within the rate limiting duration, and discards all ARP
packets received within the duration specified for blocking ARP packets.
– Limiting the rate of ARP packets globally: limits all received ARP packets.
– Limiting the rate of ARP packets in a VLAN: limits the number of ARP
packets to be processed on all interfaces in a VLAN. The configuration in
a VLAN does not affect ARP entry learning on interfaces in other VLANs.
– Limiting the rate of ARP packets on an interface: limits the number of
ARP packets processed on an interface. The configuration on an interface
does not affect ARP entry learning on other interfaces.

7.3.2 Rate Limiting on ARP Miss Messages

If a network device is flooded with IP packets that contain unresolvable
destination IP addresses, the device generates a large number of ARP Miss
messages. This is because the device has no ARP entry that matches the next hop
of the route. IP packets (ARP Miss packets), which trigger ARP Miss messages, are
sent to the control board for processing. The device generates and delivers many
temporary ARP entries according to the ARP Miss messages, and sends a large
number of ARP Request packets to the destination network. This increases CPU
usage of the device and consumes considerable network bandwidth. As shown in
Figure 7-1, the attacker sends IP packets with the unresolvable destination IP
address 10.2.1.5/24 to the gateway.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 301

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Figure 7-1 ARP Miss

2. The device fails to learn the MAC

address matching 10.2.1.5, and sends an
ARP Miss message.
3. The device generates and delivers a
temporary ARP entry according to the ARP
Miss message, and sends an ARP request
Internet
packet.
4. The device deletes the temporary ARP
entry after the entry ages out. If no ARP
entry matches the IP packets forwarded by IP address MAC address
the device and the attacker keeps sending Gateway
unresolvable IP packets, the device repeats 10.2.1.5 Incomplete
steps 2 and 3.
This increases CPU usage of the device and
consumes considerable bandwidth of the 10.1.1.1/24
destination network. 10.2.1.1/24

ste
qu
1. The attacker

re
sends IP packets

P
AR with unresolvable
destination IP
address 10.2.1.5/
24.

User A User B Attacker

10.2.1.2/24 10.1.1.3/24 10.1.1.4/24

To avoid the preceding problems, the device takes measures to limit the rate of
ARP Miss messages.
● Limiting the rate of ARP Miss messages based on source IP addresses
If the rate at which ARP Miss messages are sent from a source IP address
exceeds the limit, the device considers that this address has initiated an
attack.
If the ARP Miss message processing mode is set to block, the device discards
excess ARP Miss packets and delivers an ACL to discard all subsequent packets
sent from this source IP address. If the ARP Miss message processing mode is
set to none-block, the device only discards excess ARP Miss packets.
If a source IP address is specified, the rate of ARP Miss messages triggered by
IP packets from this source IP address is limited. If no source IP address is
specified, the rate of ARP Miss messages triggered by IP packets from any
source IP address is limited.
● Limiting the rate of ARP Miss messages globally, in a VLAN, or on an interface
The maximum number of ARP Miss massages can be set globally, in a VLAN,
or on an interface. The configurations on an interface, in a VLAN, and global
configurations take effect in descending order of priority.
– Limiting the rate of ARP Miss messages globally: limits the number of
ARP Miss messages processed on the entire device.
– Limiting the rate of ARP Miss messages in a VLAN: limits the number of
ARP Miss messages processed on all interfaces in a VLAN. The

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 302

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

configuration in a VLAN does not affect IP packet forwarding on

interfaces in other VLANs.
– Limiting the rate of ARP Miss messages on an interface: limits the
number of ARP Miss messages processed on an interface. The
configuration on an interface does not affect IP packet forwarding on
other interfaces.
● Limiting the rate of ARP Miss messages by setting the aging time of
temporary ARP entries
When IP packets trigger ARP Miss messages, the device generates temporary
ARP entries and sends ARP Request packets to the destination network.
– In the aging time of temporary ARP entries:

▪ Before receiving an ARP reply packet, the device discards the IP

packets matching the temporary ARP entry and does not generate
ARP Miss messages.

▪ After receiving an ARP Reply packet, the device generates a correct

ARP entry to replace the temporary entry.
– When temporary ARP entries age out, the device clears them. If no ARP
entry matches the IP packets forwarded by the device, ARP Miss
messages and temporary ARP entries are repeatedly generated.
When a device undergoes an ARP Miss attack, you can extend the aging time
of temporary ARP entries and reduce the frequency of triggering ARP Miss
messages to mitigate the impact on the device.

7.3.3 Optimized ARP Reply

In Figure 7-2, when a stack functions as an access gateway, the stack can receive
a large number of ARP packets requesting for the stack's interface MAC address. If
all these ARP Request packets are sent to the master switch, the CPU usage of the
switch increases, and other services are affected.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 303

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Figure 7-2 Networking of optimized ARP reply

Internet

Gateway

Switch Switch

…… ……

User User User User

To address the preceding problem, enable optimized ARP reply, which improves
the switch's capability of defending against ARP flood attack. After this function is
enabled, the stack performs the following operations:
● When receiving an ARP Request packet of which the destination IP address is
the local interface address, the switch where the interface is located directly
returns an ARP Reply packet.
● When a stack system receives an ARP Request packet of which the destination
IP address is not the local interface address and intra-VLAN proxy ARP is
enabled on the master switch, the switch where the interface is located
checks whether the ARP Request packet meets the proxy condition. If so, the
switch returns an ARP Reply packet. If not, the switch discards the packet.
NOTE
The optimized ARP reply function can be configured on a stand-alone fixed switch, but does
not take effect.

By default, the optimized ARP reply function is enabled. After a device receives an
ARP Request packet, the device checks whether an ARP entry corresponding to the
source IP address of the ARP Request packet exists.
● If the corresponding ARP entry exists, the stack performs optimized ARP reply
to this ARP Request packet.
● If the corresponding ARP entry does not exist, the stack does not perform
optimized ARP reply to this ARP Request packet.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 304

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.3.4 Strict ARP Learning

If many user hosts simultaneously send a large number of ARP packets to a

device, or attackers send bogus ARP packets to the device, the following problems
occur:

● Processing ARP packets consumes many CPU resources. The device learns
many invalid ARP entries, which exhaust ARP entry resources and prevent the
device from learning ARP entries for ARP packets from authorized users.
Consequently, communication of authorized users is interrupted.
● After receiving bogus ARP packets, the device incorrectly modifies the ARP
entries. As a result, authorized users cannot communicate with one another
other.

To avoid the preceding problems, configure the strict ARP learning function on the
gateway.

After the strict ARP learning function is enabled, the device learns only ARP entries
for ARP reply packets in response to ARP Request packets that it has sent. In this
way, the device can defend against most ARP attacks.

Figure 7-3 Strict ARP learning

UserA
Gateway

Internet

UserB

The gateway responds to ARP Request

packets from User A but does not learn the
packets

The gateway learns only the ARP Reply packets

UserC in response to the ARP Request packets sent by
itself

As shown in Figure 7-3, after receiving an ARP Request packet from UserA, the
gateway sends an ARP Reply packet to UserA and adds or updates an ARP entry
matching UserA. After the strict ARP learning function is enabled on the gateway:
● The gateway does not add or update an ARP entry for userA when it receives
an ARP Request packet from UserA. If the ARP Request packet requests the
MAC address of the gateway, the gateway sends an ARP Reply packet to
UserA.
● The gateway adds or updates an ARP entry matching UserB if it sends an ARP
Request packet to UserB, after it receives the ARP Reply packet.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 305

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.3.5 ARP Entry Limiting

The ARP entry limiting function controls the number of ARP entries that a
gateway interface can learn. By default, the number of ARP entries that an
interface can dynamically learn is the same as the default number of ARP entries
supported by the device. After the ARP entry limiting function is deployed, if the
number of ARP entries that a specified interface dynamically learned reaches the
maximum, the interface cannot learn any ARP entry. This prevents ARP entries
from being exhausted when a host connecting to this interface initiates ARP
attacks.

7.3.6 Disabling ARP Learning on Interfaces

If a user host connected to an interface initiates an ARP attack, the ARP resources
of the entire device may be exhausted. When a large number of dynamic ARP
entries have been learned by an interface, disable the interface from learning
more ARP entries to ensure device security.
To precisely control ARP learning on interfaces, disable ARP learning and configure
strict ARP learning on the interfaces.

7.3.7 ARP Entry Fixing

As shown in Figure 7-4, an attacker poses as UserA to send a bogus ARP packet
to the gateway. The gateway then records an incorrect ARP entry for UserA. As a
result, UserA cannot communicate with the gateway.

Figure 7-4 ARP gateway spoofing attack

ARP entry of the gateway ARP entry is updated to

IP address Type IP address MAC Type

MAC address
address

10.1.1.2 2-2-2 Dynamic 10.1.1.2 5-5-5 Dynamic

IP: 10.1.1.2
MAC: 2-2-2
Com IP: 10.1.1.1
mun MAC: 1-1-1
icatio
n is b
locke Gateway
d
UserA

Switch Internet

rA is
f Use
dd ress o
a
MAC 5-5-5
The
Bogus ARP packets send by an attacker who forges
Attacker the gateway address
IP: 10.1.1.3 Data sent to UserA through the gateway from the
MAC: 3-3-3 Internet

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 306

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

To defend against ARP gateway spoofing attacks, configure the ARP entry fixing
function on a gateway. Upon learning an ARP entry for the first time, the gateway
enabled with this function does not update the entry, updates only part of the
entry, or sends a unicast ARP Request packet to check the validity of the ARP
packet for updating the entry.
The device supports three ARP entry fixing modes, as described in Table 7-3.

Table 7-3 ARP entry fixing modes

Mode Description

fixed-all When receiving an ARP packet, the device discards the

packet if the MAC address, interface number, or VLAN ID
does not match an ARP entry. This mode applies to
networks where user MAC addresses and user access
locations are fixed.

fixed-mac When receiving an ARP packet, the device discards the

packet if the MAC address does not match the MAC
address in the corresponding ARP entry. If the MAC
addresses match but the interface number or VLAN ID
does not match that in the ARP entry, the device updates
the interface number or VLAN ID in the ARP entry. This
mode applies to networks where user MAC addresses are
unchanged but user access locations often change.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 307

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Mode Description

send-ack When the device receives ARP packet A with a changed

MAC address, interface number, or VLAN ID, it does not
immediately update the corresponding ARP entry. Instead,
the device sends a unicast ARP Request packet to the user
with the IP address mapped to the original MAC address in
the ARP entry. The device then determines whether to
change the MAC address, VLAN ID, or interface number in
the ARP entry depending on the response from the user.
● If the device receives ARP Reply packet B within 3
seconds, and the IP address, MAC address, interface
number, and VLAN ID of the ARP entry are the same as
those in ARP Reply packet B, the device considers ARP
packet A to be an attack packet and does not update
the ARP entry.
● If the device does not receive an ARP Reply packet
within 3 seconds or the IP address, MAC address,
interface number, and VLAN ID of the ARP entry are
different from those in ARP Reply packet B, the device
sends a unicast ARP Request packet to the user with
the IP address mapped to the original MAC address
again.
– If the device receives ARP Reply packet C within 3
seconds, and the IP address, MAC address, interface
number, and VLAN ID of the ARP packet A are the
same as those in ARP Reply packet C, the device
considers ARP packet A to be valid and updates the
ARP entry based on ARP packet A.
– If the device does not receive an ARP Reply packet
within 3 seconds or the IP address, MAC address,
interface number, and VLAN ID of ARP packet A are
different from those in ARP Reply packet C, the
device considers ARP packet A to be an attack
packet and does not update the ARP entry.
This mode applies to networks where user MAC addresses
and user access locations often change.

7.3.8 DAI
A man-in-the-middle (MITM) attack is a common ARP spoofing attack.

An MITM attacker establishes connections with two ends and exchanges data
between them. The two ends consider that they are directly communicating, but
actually the attacker has controlled the entire session. In an MITM attack, the
attacker intercepts all packets going between the two ends and inserts new ones.

Figure 7-5 shows an MITM attack scenario. An attacker poses as UserB to send a
bogus ARP packet to UserA. UserA then records an incorrect ARP entry for UserB.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 308

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

The attacker easily obtains information exchanged between UserA and UserB.
Information between UserA and UserB is not protected or secure.

Figure 7-5 Man-in-the-middle attack

ARP entry of UserA ARP entry is updated to

MAC MAC
IP address Type IP address Type
address address

10.1.1.3 3-3-3 Dynamic 10.1.1.3 2-2-2 Dynamic

ARP entry of UserB ARP entry is updated to

MAC MAC
IP address Type IP address Type
address address

10.1.1.1 1-1-1 Dynamic 10.1.1.1 2-2-2 Dynamic

IP: 10.1.1.1
MAC: 1-1-1
UserA
Switch
IP: 10.1.1.2
Internet
MAC: 2-2-2

Attacker

IP: 10.1.1.3 Bogus ARP packets sent to

MAC: 3-3-3 UserA by an attacker who
simulates UserB

UserB Bogus ARP packets sent to

UserB by an attacker who
simulates UserA

To defend against MITM attacks, configure dynamic ARP inspection (DAI) on the
Switch.
DAI prevents MITM attacks from using a DHCP snooping binding table. When the
switch receives an ARP packet, it compares the source IP address, source MAC
address, interface number, and VLAN ID of the ARP packet with binding entries. If
the ARP packet matches a binding entry, the switch considers the ARP packet valid
and allows the packet to pass through. If the ARP packet does not match a
binding entry, the switch considers the ARP packet invalid and discards the packet.

NOTE

This function is available only when DHCP snooping is configured. The device enabled with
DHCP snooping generates DHCP snooping binding entries when DHCP users go online. If a user
uses a static IP address, you need to manually configure a static binding entry for the user. For
details about DHCP snooping, see Understanding DHCP Snooping.

When an attacker connected to the Switch enabled with DAI sends bogus ARP
packets, the Switch detects the attacks based on the binding entries and discards
the bogus ARP packets. When both the DAI and packet discarding alarm functions
are enabled on the Switch, the Switch generates alarms when the number of
discarded ARP packets matching no binding entry exceeds the alarm threshold.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 309

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.3.9 ARP Gateway Anti-Collision

As shown in Figure 7-6, attacker B forges the gateway address to send a bogus
ARP packet to user A. User A considers the attacker to be the gateway. User A
then records an incorrect ARP entry for the gateway. As a result, the gateway
cannot receive packets from user A and their communication is interrupted.

Figure 7-6 ARP gateway collision

Internet

Destination Source
IP address MAC address Gateway MAC MAC
...
10.1.1.1 1-1-1 5-5-5 2-2-2 ...
Data communication is
interrupted.
IP Address MAC
10.1.1.1 1-1-1
Gateway MAC
address is Updated
ARP entry is
updated. updated.
Gateway MAC
address is 5-5-5 IP Address MAC
10.1.1.1 5-5-5
Attacker B User A

IP address MAC address IP address MAC address

10.1.1.10 3-3-3 10.1.1.2 2-2-2

Pseudo gateway ARP packet sent by attacker B

Data that user A sends to the gateway

To prevent bogus gateway attacks, enable ARP gateway anti-collision on the

gateway. The gateway considers that a gateway collision occurs when a received
ARP packet meets either of the following conditions:

● The source IP address in the ARP packet is the same as the IP address of the
VLANIF interface matching the physical inbound interface of the packet.
● The source IP address in the ARP packet is the virtual IP address of the
inbound interface but the source MAC address in the ARP packet is not the
virtual MAC address of the Virtual Router Redundancy Protocol (VRRP) group.
NOTE

A VRRP group, also called a virtual router, serves as the default gateway for hosts on a
LAN. A virtual router has a virtual MAC address that is generated based on the virtual
router ID. The virtual MAC address is in the format of 00-00-5E-00-01-{VRID}(VRRP).
The virtual router sends ARP Reply packets using the virtual MAC address instead of
the interface MAC address.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 310

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

The device generates an ARP anti-collision entry and discards the received packets
with the same source MAC address and VLAN ID in a specified period. This
function prevents ARP packets with the bogus gateway address from being
broadcast in a VLAN.
In addition, you can enable gratuitous ARP packet sending on the device to
broadcast gratuitous ARP packets to all user hosts so that the bogus ARP entries
are modified. The gratuitous ARP packet is broadcast to all users so that incorrect
ARP entries are corrected.

7.3.10 Gratuitous ARP Packet Sending

As shown in Figure 7-7, an attacker forges the gateway address to send a bogus
ARP packet to UserA. UserA then records an incorrect ARP entry for the gateway.
As a result, the gateway cannot receive packets from UserA.

Figure 7-7 Bogus gateway attack

ARP entry of UserA ARP entry is updated to

IP address MAC address Type IP address MAC address Type

10.1.1.1 1-1-1 Dynamic 10.1.1.1 3-3-3 Dynamic

IP: 10.1.1.2
MAC: 2-2-2
Com
mun IP: 10.1.1.1
icatio
n is b MAC: 1-1-1
locke
d
UserA Gateway
The MAC Internet
address of the
gateway is 3-3-3
Switch

Attacker Bogus ARP packets send by an attacker who

forges the gateway address
IP: 10.1.1.3
Data sent from UserA to the
MAC: 3-3-3
gateway

To avoid the preceding problem, configure gratuitous ARP packet sending on the
gateway. Then the gateway sends gratuitous ARP packets at intervals to update
the ARP entries of authorized users so that the ARP entries contain the correct
MAC address of the gateway.

7.3.11 ARP Gateway Protection

If an attacker on the network shown in Figure 7-8 poses as a gateway to send
ARP packets, other users on the network consider the attacker to be a gateway,

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 311

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

causing a communication interruption between authorized users and gateway.

This situation will also happen if a user incorrectly sets the host IP address as the
gateway address. To prevent such bogus gateway attacks, configure ARP gateway
protection on the device's interfaces connected to the gateway and set the
protected gateway address to 10.1.1.1. When the ARP packets of which the source
IP address is gateway address 10.1.1.1 reach a device:
● The interfaces with gateway protection enabled can receive and forward the
ARP packets.
● The interfaces without gateway protection enabled discard the ARP packets.

Figure 7-8 ARP gateway protection

ARP packet: source IP
is 10.1.1.1

IP：10.1.1.1
UserA Gateway

Switch Internet

ARP packet: source IP

address is 10.1.1.1
Interface with gateway protection enabled
Interface without gateway protection enabled
Attacker ARP packet sent by attacker
ARP packet sent by gateway

7.3.12 MAC Address Consistency Check in an ARP Packet

The MAC address consistency check function for ARP packets prevents attacks
from bogus ARP packets in which the source and destination MAC addresses are
different from those in the Ethernet frame header. This function is usually
configured on gateways.
This function enables the gateway to check the MAC address consistency in an
ARP packet before ARP learning. If the source and destination MAC addresses in
an ARP packet are different from those in the Ethernet frame header, the device
discards the packet as an attack. If the source and destination MAC addresses in
an ARP packet are the same as those in the Ethernet frame header, the device
performs ARP learning.

7.3.13 ARP Packet Validity Check

This function allows the device to filter out packets with invalid MAC addresses or
IP addresses. The device checks validity of an ARP packet based on each or any
combination of the following items:
● Source MAC address: The device compares the source MAC address in an ARP
packet with that in the Ethernet frame header. If they are the same, the
packet is valid. If they are different, the device discards the packet.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 312

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

● Destination MAC address: The device compares the destination MAC address
in an ARP packet with that in the Ethernet frame header. If they are the same,
the packet is valid. If they are different, the device discards the packet.
● IP address: The device checks the source and destination IP addresses in an
ARP packet. If the source or destination IP address is all 0s, all 1s, or a
multicast IP address, the device discards the packet as an invalid packet. The
device checks both the source and destination IP addresses in an ARP Reply
packet but checks only the source IP address in an ARP Request packet.

7.3.14 ARP Learning Triggered by DHCP

When many DHCP users connect to a network device, the device needs to learn
and maintain many ARP entries. This affects device performance.
To address this issue, configure ARP learning triggered by DHCP on the gateway.
When the DHCP server allocates an IP address for a user, the gateway generates
an ARP entry for the user based on the DHCP ACK packet received on the VLANIF
interface. Ensure that DHCP snooping has been enabled before using ARP learning
triggered by DHCP.
You can also configure DAI to prevent ARP entries of DHCP users from being
modified maliciously.

7.3.15 ARP Proxy on a VPLS Network

To prevent bogus ARP packets at the PW side from being broadcast to the AC side
on a VPLS network, enable ARP proxy and DHCP snooping over VPLS on a PE.
ARP packets at the PW side are sent to the CPU:
● If the ARP packets are ARP Request packets and the destination IP addresses
in the packets match DHCP snooping binding entries, the device constructs
ARP Reply packets based on the DHCP snooping binding entries. The device
then sends the ARP Reply packets to the requester at the PW side.
● If the ARP packets are not ARP Request packets or the destination IP
addresses in the packets do not match a DHCP snooping binding entry, the
device forwards these ARP packets to the destination.
NOTE

Only the S5720HI supports this function.

7.4 Application Scenarios for ARP Security

7.4.1 Defense Against ARP Flood Attacks

As shown in Figure 7-9, user hosts connect to the gateway through SwitchA and
SwitchB. If a large number of ARP packets are broadcast on the network, the
gateway cannot process other services due to CPU overload. Processing too many
ARP packets will occupy considerable bandwidth, thus leading to network
congestion and affecting network communication.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 313

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Figure 7-9 Defending against ARP flood attacks

Internet

Gateway

SwitchA SwitchB

UserA UserB UserC UserD Attacker

To avoid the preceding problems, deploy ARP flood defense functions on the
gateway, including rate limit on ARP packets, rate limit on ARP Miss messages,
strict ARP learning, and ARP entry limit.
● After rate limit on ARP packets is deployed, the gateway collects statistics on
received ARP packets. If the number of ARP packets received within a
specified period exceeds the threshold (the maximum number of ARP
packets), the gateway discards the excess ARP packets to prevent CPU
overload.
● After rate limit on ARP Miss messages is deployed, the gateway collects
statistics on ARP Miss messages. If the number of ARP Miss messages
generated within a specified period exceeds the threshold (the maximum
number of ARP Miss messages), the gateway discards the IP packets
triggering the excess ARP Miss messages. This prevents CPU overload when
the gateway processes a large number of IP packets with unresolvable IP
addresses.
● After strict ARP learning is deployed, the gateway learns only the ARP Reply
packets in response to the ARP Request packets that it has sent. This action
prevents ARP entries on the gateway from being exhausted when the gateway
processes many ARP packets.
● After ARP entry limit is deployed, the gateway limits the number of ARP
entries dynamically learned by each interface. When the number of the ARP
entries dynamically learned by an interface reaches the maximum number, no
more dynamic entries can be added. This prevents ARP entries from being
exhausted when a host connected to the interface attacks the gateway.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 314

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.4.2 Defense Against ARP Spoofing Attacks

As shown in Figure 7-10, UserA, UserB, and UserC use Switch to connect to the
gateway to access the Internet.
Generally, when UserA, UserB, and UserC go online and exchange ARP packets,
ARP entries are created on UserA, UserB, UserC, and the gateway. At the same
time, an attacker can send bogus ARP packets to UserA, UserB, UserC, or the
gateway in the broadcast domain to modify ARP entries, intercept information,
and interrupt communication.

Figure 7-10 Defending against ARP spoofing attacks

UserA

UserB Switch Gateway

Internet

UserC

Attacker

To avoid the preceding problems, deploy ARP spoofing defense functions on the
gateway, including rate ARP entry fixing, strict ARP learning, and gratuitous ARP
packet sending. You can deploy DAI on the access device for DHCP users.
● After ARP entry fixing is deployed and the gateway learns an ARP entry for
the first time, the gateway does not update the entry, updates only part of
the entry, or sends a unicast ARP Request packet to check the validity of the
ARP packet for updating the entry. This function prevents ARP entries from
being modified by bogus ARP packets.
● After strict ARP learning is deployed, the gateway learns only the ARP Reply
packets in response to the ARP Request packets that it has sent. This prevents
ARP entries from being modified by bogus ARP packets.
● After gratuitous ARP packet sending is deployed, the gateway periodically
sends ARP Request packets with its IP address as the destination IP address to
update the gateway MAC address in ARP entries. This function ensures that
packets of authorized users are forwarded to the gateway and prevents
hackers from intercepting these packets.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 315

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

● The DAI function allows the switch to compare the source IP address, source
MAC address, interface number, and VLAN ID of an ARP packet with binding
entries. If the ARP packet matches a binding entry, the device considers the
ARP packet valid and allows the packet to pass through. If the ARP packet
does not match a binding entry, the device considers the ARP packet invalid
and discards the packet. This function prevents MITM attacks.

7.5 Licensing Requirements and Limitations for ARP

Security

Involved Network Elements

Other network elements are not required.

Licensing Requirements
ARP security configuration commands are available only after the S1720GW,
S1720GWR, and S1720X have the license (WEB management to full management
Electronic RTU License) loaded and activated and the switches are restarted. ARP
security configuration commands on other models are not under license control.
For details about how to apply for a license, see S Series Switch License Use
Guide.

Version Requirements

Table 7-4 Products and versions supporting ARP security

Product Product Software Version
Model

S1700 S1720GFR V200R006C10, V200R009C00, V200R010C00,

V200R011C00, V200R011C10

S1720GW V200R010C00, V200R011C00, V200R011C10

and
S1720GWR

S1720GW- V200R010C00, V200R011C00, V200R011C10

E and
S1720GWR
-E

S1720X V200R011C00, V200R011C10

and
S1720X-E

Other Models that cannot be configured using commands.

S1700 For details about features and versions, see S1700
models Documentation Bookshelf.

S2700 S2700SI Not supported

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 316

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Product Product Software Version

Model

S2700EI V100R005C01, V100R006(C00&C01&C03&C05)

S2710SI V100R006(C03&C05)

S2720EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10

S2750EI V200R003C00, V200R005C00SPC300, V200R006C00,

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10

S3700 S3700SI V100R005C01, V100R006(C00&C01&C03&C05)

and
S3700EI

S3700HI V100R006C01, V200R001C00

S5700 S5700LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10

S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10

S5710-C-LI V200R001C00

S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10

S5700SI V100R005C01, V100R006C00, V200R001C00,

V200R002C00, V200R003C00, V200R005C00

S5700EI V100R005C01, V100R006(C00&C01),

V200R001(C00&C01), V200R002C00, V200R003C00,
V200R005(C00&C01&C02&C03)

S5710EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)

S5720EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10

S5720LI V200R010C00, V200R011C00, V200R011C10

and
S5720S-LI

S5720SI V200R008C00, V200R009C00, V200R010C00,

and V200R011C00, V200R011C10
S5720S-SI

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 317

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Product Product Software Version

Model

S5700HI V100R006C01, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00SPC500&C01&C02)

S5710HI V200R003C00, V200R005(C00&C02&C03)

S5720HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10

S5730SI V200R011C10

S5730S-EI V200R011C10

S6700 S6700EI V100R006C00, V200R001(C00&C01), V200R002C00,

V200R003C00, V200R005(C00&C01&C02)

S6720LI V200R011C00, V200R011C10

and
S6720S-LI

S6720SI V200R011C00, V200R011C10

and
S6720S-SI

S6720EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10

S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10

NOTE
To know details about software mappings, see Hardware Query Tool.

Feature Limitations
● For ARP packets, when rate limiting is configured globally, in a VLAN, or on
an interface and rate limiting based on the source MAC address or source IP
address is also configured, the smallest rate is used.
● For ARP Miss messages, when rate limiting is configured globally, in a VLAN,
or on an interface and rate limiting based on the source IP address is also
configured, the smallest rate is used.
● When resources are sufficient, DAI can be enabled in a maximum of 10
VLANs.

7.6 Default Settings for ARP Security

Table 7-5 describes the default settings for ARP security.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 318

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Table 7-5 Default settings for ARP security

Parameter Default Setting

Rate limit on ARP packets based on The maximum rate of ARP packets
source MAC addresses from each source MAC address is set
to 0, that is, the rate of ARP packets is
not limited based on the source MAC
address.

Rate limit on ARP packets based on The device allows a maximum of 30

source IP addresses ARP packets from the same source IP
address to pass through per second.

Rate limit on ARP packets globally, in a Disabled

VLAN, or on an interface

Maximum rate and rate limiting The device allows a maximum of 100
duration of ARP packets globally, in a ARP packets to pass through per
VLAN, or on an interface second.

Discarding all ARP packets on the Disabled

interface when the rate limit is
exceeded

Alarm that ARP packets are being Disabled

discarded when the rate limit is
exceeded globally, in a VLAN, or on an
interface

Alarm threshold for ARP packets to be 100

discarded when the rate limit is
exceeded globally, in a VLAN, or on an
interface

Rate limit on ARP Miss messages The device can process a maximum of
based on source IP addresses 30 ARP Miss messages triggered by IP
packets from the same source IP
address. If the number of ARP Miss
messages per second exceeds the limit,
the device discards the excess ARP
Miss messages. The device then uses
the block mode to discard all ARP Miss
packets from the source IP address
within 5 minutes by default.

Rate limit on ARP Miss messages Disabled

globally, in a VLAN, or on an interface

Maximum rate and rate limiting The device can process a maximum of
duration of ARP Miss messages 100 ARP Miss messages per second.
globally, in a VLAN, or on an interface

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 319

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Parameter Default Setting

Alarm that ARP Miss messages are Disabled

being discarded when the rate limit is
exceeded globally, in a VLAN, or on an
interface

Alarm threshold for ARP Miss 100

messages to be discarded when the
rate limit is exceeded globally, in a
VLAN, or on an interface

Aging time of temporary ARP entries 3 seconds

Optimized ARP reply Enabled

Strict ARP learning Disabled

Interface-based ARP entry limit The maximum number of ARP entries

that an interface can dynamically learn
is the same as the number of ARP
entries supported by the device.

ARP entry fixing Disabled

DAI Disabled

ARP gateway anti-collision Disabled

Gratuitous ARP packet sending Disabled

Interval for sending gratuitous ARP 60 seconds

packets

MAC address consistency check in an Disabled

ARP packet

ARP packet validity check Disabled

ARP learning triggered by DHCP Disabled

ARP proxy on a VPLS network Disabled

7.7 Configuring Defense Against ARP Flood Attacks

Configuring defense against ARP flood attacks prevents ARP entries from being
exhausted and CPU overload.

Pre-configuration Tasks
Before configuring defense against ARP flood attacks, connect interfaces and set
physical parameters for the interfaces to ensure that the physical status of the
interfaces is Up.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 320

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Configuration Procedure
Operations in the configuration procedure can be performed in any sequence.

7.7.1 Configuring Rate Limiting on ARP Packets based on

Source MAC Addresses

Context
A large number of ARP packets with a fixed source MAC address and variable IP
addresses will cause the CPU of a device to be overloaded and exhaust ARP
entries.

To prevent this problem, configure the gateway to limit the rate of ARP packets
based on MAC addresses. The gateway then collects statistics on ARP packets sent
from certain MAC addresses to the CPU. If the number of ARP packets received in
one second from the specified MAC address exceeds the threshold, the device
discards the excess ARP packets.

NOTE

Only the S5720HI, S5720EI and S6720EI/S6720S-EI support this function.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Configure rate limiting on ARP packets based on source MAC addresses.
● Run arp speed-limit source-mac maximum maximum
The maximum rate of ARP packets from any source MAC address is set
● Run arp speed-limit source-mac mac-address maximum maximum
The maximum rate of ARP packets from the specified source MAC address is
set.

When both the preceding commands are executed, the arp speed-limit source-
mac mac-address maximum maximum command takes effect on ARP packets
from the specified source MAC address, and the arp speed-limit source-mac
maximum maximum command takes effect on ARP packets from other source
MAC addresses.

By default, the maximum rate of ARP packets from each source MAC address is
set to 0, that is, the rate of ARP packets is not limited based on source MAC
addresses.

After the optimized ARP reply function (disabled by default) is enabled using the
undo arp optimized-reply disable command, rate limiting on ARP packets based
on the source MAC address does not take effect.

----End

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 321

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.7.2 Configuring Rate Limiting on ARP Packets based on

Source IP Addresses

Context
When processing a large number of ARP packets with fixed IP addresses (for
example, MAC addresses or outbound interfaces that match a source IP address
frequently change), the CPU is overloaded and cannot process other services.

To prevent this problem, configure the gateway to limit the rate of ARP packets
based on source IP addresses. The gateway collects statistics on ARP packets from
a specified source IP address. If the number of ARP packets received in one second
from the specified IP address exceeds the threshold, the device discards the excess
ARP packets.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Configure rate limit on ARP packets based on source IP addresses.

● Run arp speed-limit source-ip maximum maximum
The maximum rate of ARP packets from any source IP address is set.
● Run arp speed-limit source-ip ip-address maximum maximum
The maximum rate of ARP packets from the specified source IP address is set.

When both the preceding commands are executed, the maximum rate set using
the arp speed-limit source-ip ip-address maximum maximum command takes
effect on ARP packets from the specified source IP address, and the maximum rate
set using the arp speed-limit source-ip maximum maximum command takes
effect on ARP packets from other source IP addresses.

By default, the device allows a maximum of 30 ARP packets from the same source
IP address to pass through per second.

After the optimized ARP reply function (disabled by default) is enabled using the
undo arp optimized-reply disable command, rate limiting on ARP packets based
on the source IP address does not take effect.

----End

7.7.3 Configuring Rate Limiting on ARP Packets Globally, in a

VLAN, or on an Interface

Context
When processing a large number of ARP packets, a device consumes many CPU
resources and cannot process other services. To protect CPU resources of the
device, limit the rate of ARP packets.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 322

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

After rate limiting on ARP packets is enabled, set the maximum rate and rate
limiting duration of ARP packets globally, in a VLAN, or on an interface. In the rate
limiting duration, if the number of received ARP packets exceeds the limit, the
device discards the excess ARP packets.
● Limiting the rate of ARP packets globally: limits the number of ARP packets
processed on the entire device.
● Limiting the rate of ARP packets in a VLAN: limits the number of ARP packets
to be processed on all interfaces in a VLAN. The configuration in a VLAN does
not affect ARP entry learning on interfaces in other VLANs.
● Limiting the rate of ARP packets on an interface: limits the number of ARP
packets processed on an interface. The configuration on an interface does not
affect ARP entry learning on other interfaces.
If the maximum rate and rate limiting duration are configured in the system view,
VLAN view, and interface view at the same time, the device uses the
configurations in the interface view, VLAN view, and system view in order.
If you want the device to generate alarms to notify the network administrator of a
large number of discarded excess ARP packets, enable the alarm function. When
the number of discarded ARP packets exceeds the alarm threshold, the device
generates an alarm.
Perform the following steps on the gateway.

NOTE

MAC-Forced Forwarding (MFF) may increase the load on an access device's CPU. This is
because the MFF module may forward too many ARP packets whose destination IP
addresses are different from the IP address of the interface receiving these packets. To
resolve this problem, limit the rate of ARP packets globally, in a VLAN, or on an interface.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run interface interface-type interface-number or vlan vlan-id
The interface or VLAN view is displayed.
If you configure rate limiting on ARP packets in the system view, skip the
preceding step.
Step 3 (Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
NOTE

Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support switching between Layer 2 and
Layer 3 modes.

Step 4 Run arp anti-attack rate-limit enable

Rate limiting on ARP packets is enabled.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 323

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

By default, rate limiting on ARP packets is disabled.

After the optimized ARP reply function (disabled by default) is enabled using the
undo arp optimized-reply disable command, rate limiting on ARP packets
globally, in a VLAN, or on an Interface does not take effect.
Step 5 Run arp anti-attack rate-limit packet packet-number [ interval interval-value |
block-timer timer ] *
The maximum rate and rate limiting duration for ARP packets are set, and the
function to discard all ARP packets received from the interface when the rate of
ARP packets exceeds the limit (block mode) is enabled.
The system view and VLAN view do not support block timer timer.
By default, a maximum of 100 ARP packets are allowed to pass per second, and
the function to discard all ARP packets received from the interface when the rate
of ARP packets exceeds the limit is disabled.

NOTE

This command can be configured on a maximum of 16 interfaces.

The arp anti-attack rate-limit command takes effect only on ARP packets sent to the CPU
for processing in none-block mode, and does not affect ARP packet forwarding by the chip.
In block mode, only when the number of ARP packets sent to the CPU exceeds the limit,
does the device discard subsequent ARP packets on the interface.

Step 6 (Optional) Run arp anti-attack rate-limit alarm enable

The alarm function for discarded ARP packets when the rate of ARP Miss packets
exceeds the limit is enabled.
By default, the alarm function for ARP packets discarded when the rate of ARP
packets exceeds the limit is disabled.
Step 7 (Optional) Run arp anti-attack rate-limit alarm threshold threshold
The alarm threshold of ARP packets discarded when the rate of ARP packets
exceeds the limit is set.
By default, the alarm threshold of ARP packets discarded when the rate of ARP
packets exceeds the limit is 100.

----End

7.7.4 Configuring Rate Limiting on ARP Miss Messages based

on Source IP Addresses

Context
If a network device is flooded with IP packets that contain unresolvable
destination IP addresses, the device generates a large number of ARP Miss
messages. This is because the device has no ARP entry that matches the next hop
of the route. IP packets triggering ARP Miss messages are sent to the device for
processing. The device generates a large number of temporary ARP entries and
sends many ARP Request packets to the network, consuming a large number of
CPU and bandwidth resources.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 324

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

If the number of ARP Miss messages triggered by IP packets from a source IP

address per second exceeds the limit, the device considers that an attack has been
initiated from the source IP address.

If the ARP Miss packet processing mode is set to block, the CPU of the device
discards excess ARP Miss messages and delivers an ACL to discard all subsequent
packets that are sent from this source IP address. If the ARP Miss packet
processing mode is set to none-block, the CPU discards excess ARP Miss
messages. When ARP Miss messages are discarded, corresponding ARP Miss
packets are discarded.

The maximum number of ARP Miss messages and ARP Miss packet processing
mode can be set based on the actual network environment.

NOTE

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI,
S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this function.

Perform the following steps on the gateway.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Configure rate limiting on ARP Miss messages based on source IP addresses.
● Run arp-miss speed-limit source-ip maximum maximum
The maximum rate of ARP Miss messages triggered by IP packets from any
source IP address is set.
● Run arp-miss speed-limit source-ip ip-address [ mask mask ] maximum
maximum [ none-block | block timer timer ](The S5720SI, S5720S-SI,
S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI do not
support [ none-block | block timer timer ].)
The maximum rate of ARP Miss messages triggered by IP packets from the
specified IP address is set, and ARP Miss packet processing mode is specified.

When the preceding configurations are both performed, the maximum rate set
using the arp-miss speed-limit source-ip ip-address [ mask mask ] maximum
maximum [ none-block | block timer timer ] command takes effect on ARP Miss
messages triggered IP packets from the specified source IP address, and the
maximum rate set using the arp-miss speed-limit source-ip maximum maximum
command takes effect on ARP Miss messages triggered by IP packets from other
source IP addresses.

If the maximum rate of ARP Miss messages is set to 0, the rate of ARP Miss
messages is not limited based on source IP addresses. By default, the device
accepts a maximum of 500 ARP Miss messages triggered by IP packets from the
same source IP address per second.

If the number of ARP Miss messages triggered by IP packets from the same source
IP address per second exceeds the limit, the device discards the excess ARP Miss

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 325

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

packets. By default, a device uses the block mode to discard all ARP Miss packets
from the source IP address within five minutes.

----End

7.7.5 Configuring Rate Limiting on ARP Miss Messages

Globally, in a VLAN, or on an Interface

Context
If a network device is flooded with IP packets that contain unresolvable
destination IP addresses, the device generates a large number of ARP Miss
messages. This is because the device has no ARP entry that matches the next hop
of the route. IP packets triggering ARP Miss messages are sent to the device for
processing. The device generates a large number of temporary ARP entries and
sends many ARP Request packets to the network, consuming a large number of
CPU and bandwidth resources.

To avoid the preceding problems, it is recommended that you configure rate limit
on ARP Miss messages on the gateway.

● Limiting the rate of ARP Miss messages globally: limits the number of ARP
Miss messages processed on the entire device.
● Limiting the rate of ARP Miss messages in a VLAN: limits the number of ARP
Miss messages processed on all interfaces in a VLAN. The configuration in a
VLAN does not affect IP packet forwarding on interfaces in other VLANs.
● Limiting the rate of ARP Miss messages on an interface: limits the number of
ARP Miss messages processed on an interface. The configuration on an
interface does not affect IP packet forwarding on other interfaces.

If rate limit on ARP Miss messages is configured in the system view, VLAN view,
and interface view, the device uses the configurations in the interface view, VLAN
view, and system view in order.

If you want that the device can generate alarms to notify the network
administrator of a large number of discarded ARP Miss packets, enable the alarm
function. When the number of discarded ARP Miss packets exceeds the alarm
threshold, the device generates an alarm.

NOTE

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI,
S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this function.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 (Optional) Run interface interface-type interface-number or vlan vlan-id

The interface view or VLAN view is displayed.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 326

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

NOTE

If you configure rate limiting on ARP Miss messages in the system view, skip the preceding step.

Step 3 (Optional) On an Ethernet interface, run undo portswitch

The interface is switched to Layer 3 mode.

By default, an Ethernet interface works in Layer 2 mode.

NOTE

Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support switching between Layer 2 and
Layer 3 modes.

Step 4 Run arp-miss anti-attack rate-limit enable

Rate limiting on ARP Miss messages is enabled.

By default, rate limiting on ARP Miss messages is disabled.

Step 5 Run arp-miss anti-attack rate-limit packet packet-number [ interval interval-

value ]
The maximum rate and rate limiting duration of ARP Miss messages are set.

By default, the device can process a maximum of 100 ARP Miss messages per
second.

Step 6 (Optional) Run arp-miss anti-attack rate-limit alarm enable

The alarm function for ARP Miss packets discarded when the rate of ARP Miss
packets exceeds the limit is enabled.

By default, the alarm function is disabled.

Step 7 (Optional) Run arp-miss anti-attack rate-limit alarm threshold threshold

The alarm threshold for ARP Miss packets discarded when the rate of ARP Miss
packets exceeds the limit is set.

By default, the alarm threshold is 100.

----End

7.7.6 Configuring the Aging Time of Temporary ARP Entries

Context
In addition to generating ARP Miss messages, the device generates temporary ARP
entries and sends ARP Request packets to the destination network.
● In the aging time of temporary ARP entries:
– Before receiving an ARP reply packet, the device discards the IP packets
matching the temporary ARP entry and does not generate ARP Miss
messages.
– After receiving an ARP Reply packet, the device generates a correct ARP
entry to replace the temporary entry.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 327

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

● When temporary ARP entries age out, the device clears them. If no ARP entry
matches the IP packets forwarded by the device, ARP Miss messages and
temporary ARP entries are repeatedly generated.
You can limit the rate of ARP Miss messages by setting the aging time of
temporary ARP entries. When a device undergoes an ARP Miss attack, you can
extend the aging time of temporary ARP entries to reduce the frequency of
triggering ARP Miss messages so that the impact on the device is minimized.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run interface interface-type interface-number
The interface view is displayed.
Step 3 (Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
NOTE

Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support switching between Layer 2 and
Layer 3 modes.

Step 4 Run arp-fake expire-time expire-time

The aging time of temporary ARP entries is set.
By default, the aging time of temporary ARP entries is 3 seconds.

----End

7.7.7 Configuring the Optimized ARP Reply Function

Context
When a stack functions as an access gateway, the stack can receive a large
number of ARP packets requesting for the stack's interface MAC address. If all
these ARP Request packets are sent to the master switch, the CPU usage of the
switch increases, and other services are affected.
To address the preceding problem, enable optimized ARP reply, which improves
the switch's capability of defending against ARP flood attack. After this function is
enabled, the stack performs the following operations:
● When receiving an ARP Request packet of which the destination IP address is
the local interface address, the switch where the interface is located directly
returns an ARP Reply packet.
● When a stack system receives an ARP Request packet of which the destination
IP address is not the local interface address and intra-VLAN proxy ARP is
enabled on the master switch, the switch where the interface is located
checks whether the ARP Request packet meets the proxy condition. If so, the
switch returns an ARP Reply packet. If not, the switch discards the packet.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 328

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

NOTE
The optimized ARP reply function can be configured on a stand-alone fixed switch, but does
not take effect.

By default, the optimized ARP reply function is enabled. After a device receives an
ARP Request packet, the device checks whether an ARP entry corresponding to the
source IP address of the ARP Request packet exists.
● If the corresponding ARP entry exists, the stack performs optimized ARP reply
to this ARP Request packet.
● If the corresponding ARP entry does not exist, the stack does not perform
optimized ARP reply to this ARP Request packet.

Procedure
1. Run system-view
The system view is displayed.
2. Run undo arp optimized-reply disable
The optimized ARP reply function is enabled.
By default, the optimized ARP reply function is enabled.
– The optimized ARP reply function does not take effect for ARP Request
packets with double VLAN tags.
– The optimized ARP reply function takes effect for ARP Request packets
sent by wireless users.
– The optimized ARP reply function takes effect only for the ARP Request
packets received by VLANIF interfaces. The optimized ARP reply function
does not take effect for the ARP Request packets sent from the VLANIF
interfaces of super VLANs and sub VLANs.
– The optimized ARP reply function does not take effect globally or on
VLANIF interfaces after you run any of the following commands:

▪ ip address ip-address { mask | mask-length } sub: configures

secondary IP addresses for VLANIF interfaces.

▪ arp anti-attack gateway-duplicate enable: enables the ARP

gateway anti-collision function.

▪ arp ip-conflict-detect enable: enables IP address conflict detection.

▪ arp anti-attack check user-bind enable: enables dynamic ARP

inspection.

▪ dhcp snooping arp security enable: enables egress ARP inspection.

▪ arp over-vpls enable: enables ARP proxy on the device located on a

VPLS network.

▪ arp-proxy enable: configures the routed ARP proxy function.

– After the optimized ARP reply function is enabled, the following functions
become invalid:

▪ ARP rate limiting based on source MAC addresses (configured using

the arp speed-limit source-mac command)

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 329

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

▪ ARP rate limiting based on source IP addresses (configured using the

arp speed-limit source-ip command)

▪ Global ARP rate limiting, ARP rate limiting in VLANs, as well as ARP
rate limiting on interfaces (configured using the arp anti-attack
rate-limit enable command)

7.7.8 Configuring Strict ARP Learning

Context
If many user hosts simultaneously send a large number of ARP packets to a
device, or attackers send bogus ARP packets to the device, the following problems
occur:
● Processing ARP packets consumes many CPU resources. The device learns
many invalid ARP entries, which exhaust ARP entry resources and prevent the
device from learning ARP entries for ARP packets from authorized users.
Consequently, communication of authorized users is interrupted.
● After receiving bogus ARP packets, the device incorrectly modifies the ARP
entries. As a result, authorized users cannot communicate with one another
other.

To avoid the preceding problems, configure the strict ARP learning function on the
gateway. This function allows the gateway to learn only ARP entries for ARP Reply
packets in response to ARP Request packets that it has sent. In this way, the
gateway can prevent most ARP attacks.

Strict ARP learning can be configured globally or in the interface view.

● If strict ARP learning is enabled globally, all interfaces on the device learn ARP
entries strictly.
● If strict ARP learning is enabled in the interface view, only this interface learns
ARP entries strictly.

When strict ARP learning is enabled globally and in the interface view
simultaneously, the configuration on the interface takes precedence over the
global configuration.

NOTE

When strict ARP learning is enabled globally:

● If you run the arp learning strict force-disable command on a specified interface,
strict ARP learning is forced to be disabled on the interface.
● If you run the arp learning strict trust command on a specified interface, strict ARP
learning configured globally takes effect on the interface.
The firewall installed on a PC may prevent the PC from sending ARP Reply packets after the
PC receives ARP Request packets, or the network adapter cannot reply with ARP Reply
packets. If a device with strict ARP learning enabled triggers an ARP Miss message, the PC
does not respond. As a result, the device cannot learn the PC's ARP entry. If this problem
occurs on only a few user hosts, configure static ARP entries (for details, see Configuring
Static ARP in "ARP Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10
Configuration Guide - IP Service) for the user hosts; if the problem occurs on most user
hosts, disable strict ARP learning on the device.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 330

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Procedure
● Configuring strict ARP learning globally
a. Run system-view
The system view is displayed.
b. Run arp learning strict
Strict ARP learning is enabled globally.
By default, strict ARP learning is disabled.
● Configuring strict ARP learning on an interface
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number
The interface view is displayed.
c. (Optional) On an Ethernet interface, run undo portswitch
The interface is switched to Layer 3 mode.
By default, an Ethernet interface works in Layer 2 mode.
NOTE

Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support switching between
Layer 2 and Layer 3 modes.
d. Run arp learning strict { force-enable | force-disable | trust }
Strict ARP learning on the interface is enabled.
By default, strict ARP learning is disabled on the interface.
----End

7.7.9 Configuring Interface-based ARP Entry Limiting

Context
To prevent ARP entries from being exhausted by ARP attacks from a host
connecting to an interface on the device, set the maximum number of ARP entries
that the interface can dynamically learn. When the number of ARP entries learned
by a specified interface reaches the maximum number, the interface cannot
dynamically learn new ARP entries.
Perform the following steps on the gateway.

Procedure
● Configuring ARP entry limiting on a Layer 2 interface
a. Run system-view
The system view is displayed.
b. Run interface interface-type interface-number

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 331

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

The interface view is displayed.

c. Run arp-limit vlan vlan-id1 [ to vlan-id2 ] maximum maximum

ARP entry limit on the Layer 2 interface is configured.

By default, the maximum number of ARP entries that an interface can

dynamically learn is the same as the number of ARP entries supported by
the device.
● Configuring ARP entry limiting on a Layer 3 interface or sub-interface
a. Run system-view

The system view is displayed.

b. Run interface interface-type interface-number [.subinterface-number ]

The interface view or sub-interface view is displayed.

c. (Optional) On an Ethernet interface, run undo portswitch

The interface is switched to Layer 3 mode.

By default, an Ethernet interface works in Layer 2 mode.

NOTE

Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support switching between
Layer 2 and Layer 3 modes.
d. Run arp-limit maximum maximum

ARP entry limit on a Layer 3 interface or sub-interface interface is

configured.

By default, the maximum number of ARP entries that an interface can

dynamically learn is the same as the number of ARP entries supported by
the device.

NOTE

Only the S5720EI, S5720HI and S6720EI/S6720S-EI support sub-interface.

----End

7.7.10 Disabling an Interface from Learning ARP Entries

Context
If a user host connected to an interface initiates an ARP attack, ARP resources of
the device may be exhausted. When a large number of dynamic ARP entries have
been learned by an interface, disable the interface from learning more ARP entries
on the gateway to ensure device security.

After dynamic ARP entry learning is disabled on an interface, the system will not
automatically delete the ARP entries that were learned previously on this
interface. Delete or retain these dynamic ARP entries as required.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 332

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

NOTICE

If dynamic ARP entry learning is disabled on an interface, traffic forwarding may

fail on this interface.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface vlanif interface-number

The VLANIF interface view is displayed.

Step 3 Run arp learning disable

The interface is disabled from learning ARP entries.

By default, an interface learns ARP entries dynamically.

----End

7.7.11 Verifying the ARP Flood Attack Defense Configuration

Procedure
● Run the display arp anti-attack configuration { arp-rate-limit | arp-speed-
limit | entry-check | arpmiss-rate-limit | arpmiss-speed-limit | gateway-
duplicate | log-trap-timer | packet-check | all } command to check the ARP
anti-attack configuration.(Only the S5720EI, S5720HI, S5720SI, S5720S-SI,
S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and
S6720S-EI support arpmiss-rate-limit, arpmiss-speed-limit and gateway-
duplicate.)
● Run the display arp-limit [ interface interface-type interface-number ]
[ vlan vlan-id ] command to check the maximum number of ARP entries that
an interface can learn.
● Run the display arp learning strict command to check strict ARP learning
globally and on all VLANIF interfaces.

----End

7.8 Configuring Defense Against ARP Spoofing Attacks

If an attacker sends bogus ARP packets to a network device or user host, the
device or host modifies the local ARP entries, leading to packet forwarding
failures. The function of defense against ARP spoofing attacks can prevent such
attacks.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 333

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Pre-configuration Tasks
Before configuring defense against ARP spoofing attacks, connect interfaces and
set physical parameters for the interfaces to ensure that the physical status of the
interfaces is Up.

Configuration Procedure
Operations in the configuration procedure can be performed in any sequence.

7.8.1 Configuring ARP Entry Fixing

Context
To defend against ARP address spoofing attacks, configure ARP entry fixing on the
gateway. The fixed-mac, fixed-all, and send-ack modes are applicable to
different scenarios and are mutually exclusive:
● fixed-mac: When receiving an ARP packet, the device discards the packet if
the MAC address does not match that in the corresponding ARP entry. If the
MAC addresses match but the interface number or VLAN ID does not match
that in the ARP entry, the device updates the interface number or VLAN ID in
the ARP entry. This mode applies to networks where user MAC addresses are
unchanged but user access locations often change. When a user connects to a
different interface on the device, the device updates interface information in
the ARP entry of the user timely.
● fixed-all: When the MAC address, interface number, and VLAN ID of an ARP
packet match those in the corresponding ARP entry, the device updates other
information about the ARP entry. This mode applies to networks where user
MAC addresses and user access locations are fixed.
● send-ack: When the device receives an ARP packet with a changed MAC
address, interface number, or VLAN ID, it does not immediately update the
corresponding ARP entry. Instead, the device sends a unicast ARP Request
packet to the user with the IP address mapped to the original MAC address in
the ARP entry. The device then determines whether to change the MAC
address, VLAN ID, or interface number in the ARP entry depending on the
response from the user. This mode applies to networks where user MAC
addresses and user access locations often change.
You can configure ARP entry fixing globally or on the VLANIF interface.
● If ARP entry fixing is enabled globally, all interfaces have this function
enabled by default.
● If ARP entry fixing is enabled globally and on a VLANIF interface
simultaneously, the configuration on the VLANIF interface takes precedence
over the global configuration.

Procedure
Step 1 Configure ARP entry fixing globally
1. Run system-view
The system view is displayed.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 334

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

2. Run arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

ARP entry fixing is enabled.

By default, ARP entry fixing is disabled.

Step 2 Configure ARP entry fixing on an interface

1. Run system-view

The system view is displayed.

2. Run interface vlanif vlan-id

The VLANIF interface view is displayed.

3. Run arp anti-attack entry-check { fixed-mac | fixed-all | send-ack } enable

ARP entry fixing is enabled.

By default, ARP entry fixing is disabled.

----End

7.8.2 Configuring DAI

Context
Configuring DAI on an access device can prevent MITM attacks and theft on
authorized users' information. After DAI is configured, the device compares the
source IP address, source MAC address, VLAN ID, and interface number in the
received ARP packet with binding entries. If the ARP packet matches a binding
entry, the device considers the ARP packet valid and allows the packet to pass
through. If the ARP packet does not match a binding entry, the device considers
the ARP packet invalid and discards the packet.

You can enable DAI in the interface view or the VLAN view. When DAI is enabled
in an interface view, the device checks all ARP packets received on the interface
against binding entries. When DAI is enabled in the VLAN view, the device checks
the ARP packets received on all interfaces belonging to the VLAN against binding
entries.

If you want to receive an alarm when a large number of ARP packets are
generated, enable the alarm function for the ARP packets discarded by DAI. After
the alarm function is enabled, the device will generate an alarm when the number
of discarded ARP packets exceeds a specified threshold.

NOTE

When ARP learning triggered by DHCP is enabled on the gateway, DAI can be enabled on
the gateway.
This function is available only for DHCP snooping scenarios. The device enabled with DHCP
snooping generates DHCP snooping binding entries when DHCP users go online. If a user
uses a static IP address, you need to manually configure a static binding entry for the user.
For details about the DHCP snooping configuration, see 9 DHCP Snooping Configuration.
For details on how to configure a static binding entry, see 12.7.1 Configuring IPSG Based
on a Static Binding Table.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 335

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number or,vlan vlan-id

The interface view or VLAN view is displayed.

Step 3 Run arp anti-attack check user-bind enable

DAI is enabled.

When resources are sufficient, DAI can be enabled in a maximum of 10 VLANs.

By default, DAI is disabled.

Step 4 (Optional) In the interface view, run arp anti-attack check user-bind check-item
{ ip-address | mac-address | vlan } *

or in the VLAN view, run arp anti-attack check user-bind check-item { ip-
address | mac-address | interface } *

Items for checking ARP packets based on binding entries are configured.

By default, the check items consist of IP address, MAC address, VLAN ID, and
interface number.

To allow some special ARP packets that match only one or two items in binding
entries to pass through, configure the device to check ARP packets according to
one or two specified items in binding entries.

NOTE

The IP addresses in binding entries can be IPv4 or IPv6 addresses. When the device
compares IP addresses in ARP packets with binding entries, both IPv4 and IPv6 addresses
are checked.
Items for checking ARP packets based on binding entries do not take effect on user hosts
that are configured with static binding entries. These hosts check ARP packets based on all
items in static binding entries.
When DAI is enabled in a VLAN and on an interface that belongs to the VLAN
simultaneously, the device checks the ARP packet based on the check items configured on
the interface. If the ARP packet passes the check, the device checks the packet again based
on the check items configured in the VLAN.

Step 5 (Optional) In the interface view, run arp anti-attack check user-bind alarm
enable

The alarm function for ARP packets discarded by DAI is enabled.

By default, the alarm function for ARP packets discarded by DAI is disabled.

NOTE

This type of alarm is generated for the ARP packets discarded by DAI on interfaces. Do not
run the arp anti-attack check user-bind enable command in a VLAN and the arp anti-
attack check user-bind alarm enable command on an interface in this VLAN at the same
time. Otherwise, the actual number of discarded ARP packets in the VLAN is different from
the number of discarded packets on the interface.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 336

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Step 6 (Optional) In the interface view, run arp anti-attack check user-bind alarm
threshold threshold
The alarm threshold of ARP packets discarded by DAI is set.
By default, the threshold on an interface is consistent with the threshold set by the
arp anti-attack check user-bind alarm threshold threshold command in the
system view. If the alarm threshold is not set in the system view, the default
threshold on the interface is 100.
Step 7 Configure a trusted interface.
Configure the interface directly or indirectly connected to the authorized DHCP
server as a trusted interface, otherwise, the return packets are discarded because
they do not match the binding entries and service interruptions will occur. After
the upstream interface is configured as a trusted interface, the switch forwards the
packets received by the interface without checking them against the binding
entries.
1. Run the dhcp enable command to enable DHCP globally.
By default, DHCP is disabled globally.
2. Run the dhcp snooping enable command to enable DHCP snooping globally.
By default, DHCP snooping is disabled globally.
3. Run interface interface-type interface-number or,vlan vlan-id
The interface view or VLAN view is displayed.
4. Run the dhcp snooping enable command to enable DHCP snooping in the
VLAN or on the interface.
By default, DHCP snooping is disabled in VLANs or on interfaces.
5. Run the dhcp snooping trusted command in the interface view or the dhcp
snooping trusted interface interface-type interface-number command in the
VLAN view to configure the interface as a trusted interface.
By default, an interface is untrusted.

----End

7.8.3 Configuring ARP Gateway Anti-Collision

Context
If an attacker forges the gateway address to send ARP packets with the source IP
address being the IP address of the gateway on the LAN, ARP entries on hosts in
the LAN record the incorrect gateway address. As a result, all traffic from user
hosts to the gateway is sent to the attacker and the attacker intercepts user
information. Communication of users is interrupted.
To prevent bogus gateway attacks, enable ARP gateway anti-collision on the
gateway. The gateway considers that a gateway collision occurs when a received
ARP packet meets either of the following conditions:
● The source IP address in the ARP packet is the same as the IP address of the
VLANIF interface matching the physical inbound interface of the packet.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 337

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

● The source IP address in the ARP packet is the virtual IP address of the
inbound interface but the source MAC address in the ARP packet is not the
virtual MAC address of the VRRP group.
The device generates an ARP anti-collision entry and discards the received packets
with the same source MAC address and VLAN ID in a specified period. This
function prevents ARP packets with the bogus gateway address from being
broadcast in a VLAN.

NOTE

Only the S5720HI, S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-LI,
S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this function.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run arp anti-attack gateway-duplicate enable
ARP gateway anti-collision is enabled.
By default, ARP gateway anti-collision is disabled.

----End

7.8.4 Configuring Gratuitous ARP Packet Sending

Context
If an attacker forges the gateway address to send ARP packets to other user hosts,
ARP entries on the hosts record the incorrect gateway address. As a result, the
gateway cannot receive data sent from the hosts. You can enable gratuitous ARP
packet sending on the gateway. Then the gateway sends gratuitous ARP packets
at intervals to update the ARP entries of authorized users so that the ARP entries
contain the correct MAC address of the gateway.
You can configure gratuitous ARP packet sending globally or on a VLANIF
interface.
● If gratuitous ARP packet sending is enabled globally, all interfaces have this
function enabled by default.
● If gratuitous ARP packet sending is enabled globally and on a VLANIF
interface simultaneously, the configuration on the VLANIF interface takes
precedence over the global configuration.

Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run interface vlanif interface-number
The VLANIF interface view is displayed.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 338

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

NOTE

If you intend to configure gratuitous ARP packet sending in the system view, skip this step.

Step 3 Run arp gratuitous-arp send enable

Gratuitous ARP packet sending is enabled.

By default, gratuitous ARP packet sending is disabled.

Step 4 (Optional) Run arp gratuitous-arp send interval interval-time

The interval for sending gratuitous ARP packets is set.

By default, the interval for sending gratuitous ARP packets is 60 seconds.

----End

7.8.5 Configuring ARP Gateway Protection

Context
If an attacker poses as a gateway to send ARP packets, other users on the network
consider the attacker to be a gateway, causing a communication interruption
between authorized users and gateway. This situation will also happen if a user
incorrectly sets the host IP address as the gateway address. To prevent such bogus
gateway attacks, configure ARP gateway protection on the device's interfaces
connected to the gateway. When the ARP packets from a gateway address reach a
device:
● The interfaces with gateway protection enabled can receive and forward the
ARP packets.
● The interfaces without gateway protection enabled discard the ARP packets.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 Run arp trust source ip-address

ARP gateway protection is enabled and the protected gateway IP address is set.

By default, ARP gateway protection is disabled.

A maximum of 8 protected gateway addresses can be specified on each interface,

and 32 can be specified on the entire device. If the same gateway IP address is
specified on different interfaces, the system considers that multiple protected
gateway IP addresses have been configured.

----End

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 339

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.8.6 Configuring MAC Address Consistency Check in an ARP

Packet

Context
The MAC address consistency check function for ARP packets prevents attacks
from bogus ARP packets in which the source and destination MAC addresses are
different from those in the Ethernet frame header. This function is usually
configured on gateways.

This function enables the gateway to check the MAC address consistency in an
ARP packet before ARP learning. If the source and destination MAC addresses in
an ARP packet are different from those in the Ethernet frame header, the device
discards the packet as an attack. If the source and destination MAC addresses in
an ARP packet are the same as those in the Ethernet frame header, the device
performs ARP learning.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface interface-type interface-number

The interface view is displayed.

Step 3 (Optional) On an Ethernet interface, run undo portswitch

The interface is switched to Layer 3 mode.

By default, an Ethernet interface works in Layer 2 mode.

NOTE

Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support switching between Layer 2 and
Layer 3 modes.

Step 4 Run arp validate { source-mac | destination-mac } *

MAC address consistency check in an ARP packet is enabled. This function

compares the source and destination MAC addresses in ARP packets with those in
the Ethernet frame header.

By default, MAC address consistency check in an ARP packet is disabled.

NOTE

Sub-interfaces do not support the arp validate { source-mac | destination-mac }* command.

When receiving ARP packets, a sub-interface checks MAC address consistency based on the rule
configured on the primary interface.
VLANIF interfaces do not support the arp validate { source-mac | destination-mac }*
command. When receiving ARP packets, a VLANIF interface checks MAC address consistency
based on the rule configured on the member interface.

----End

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 340

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.8.7 Configuring ARP Packet Validity Check

Context
To avoid ARP attacks, you can enable ARP packet validity check on an access
device or a gateway to filter out ARP packets with invalid IP addresses or MAC
addresses. The device checks validity of an ARP packet based on each or any
combination of the following items:
● Source and destination IP addresses: The device checks the source and
destination IP addresses in an ARP packet. If the source or destination IP
address is all 0s, all 1s, or a multicast IP address, the device discards the
packet as an invalid packet. The device checks both the source and
destination IP addresses in an ARP Reply packet but checks only the source IP
address in an ARP Request packet.
● Source MAC address: The device compares the source MAC address in an ARP
packet with that in the Ethernet frame header. If they are the same, the
packet is valid. If they are different, the device discards the packet.
● Destination MAC address: The device compares the destination MAC address
in an ARP packet with that in the Ethernet frame header. If they are the same,
the packet is valid. If they are different, the device discards the packet.

NOTE

Generally, packets with different source and destination MAC addresses in the ARP packet and
Ethernet frame header are allowed by the ARP protocol. When an attack occurs, capture and
analyze packets. If the attack is initiated by using inconsistent source MAC addresses in the ARP
packet and Ethernet frame header, enable ARP packet validity check based on the source MAC
address.

Procedure
Step 1 Run system-view
The system view is displayed.

Step 2 Run arp anti-attack packet-check { ip | dst-mac | sender-mac }*

ARP packet validity check is enabled and check items are specified.
By default, ARP packet validity check is disabled.

If you run the arp anti-attack packet-check { ip | dst-mac | sender-mac } *

command multiple times, all the check items specified in these commands take
effect.

----End

7.8.8 Configuring Strict ARP Learning

Context
If many user hosts simultaneously send a large number of ARP packets to a
device, or attackers send bogus ARP packets to the device, the following problems
occur:

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 341

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

● Processing ARP packets consumes many CPU resources. The device learns
many invalid ARP entries, which exhaust ARP entry resources and prevent the
device from learning ARP entries for ARP packets from authorized users.
Consequently, communication of authorized users is interrupted.
● After receiving bogus ARP packets, the device incorrectly modifies the ARP
entries. As a result, authorized users cannot communicate with one another
other.

To avoid the preceding problems, configure the strict ARP learning function on the
gateway. This function allows the gateway to learn only ARP entries for ARP Reply
packets in response to ARP Request packets that it has sent. In this way, the
gateway can prevent most ARP attacks.

Strict ARP learning can be configured globally or in the interface view.

● If strict ARP learning is enabled globally, all interfaces on the device learn ARP
entries strictly.
● If strict ARP learning is enabled in the interface view, only this interface learns
ARP entries strictly.

When strict ARP learning is enabled globally and in the interface view
simultaneously, the configuration on the interface takes precedence over the
global configuration.

NOTE

When strict ARP learning is enabled globally:

● If you run the arp learning strict force-disable command on a specified interface,
strict ARP learning is forced to be disabled on the interface.
● If you run the arp learning strict trust command on a specified interface, strict ARP
learning configured globally takes effect on the interface.
The firewall installed on a PC may prevent the PC from sending ARP Reply packets after the
PC receives ARP Request packets, or the network adapter cannot reply with ARP Reply
packets. If a device with strict ARP learning enabled triggers an ARP Miss message, the PC
does not respond. As a result, the device cannot learn the PC's ARP entry. If this problem
occurs on only a few user hosts, configure static ARP entries (for details, see Configuring
Static ARP in "ARP Configuration" in the S1720, S2700, S5700, and S6720 V200R011C10
Configuration Guide - IP Service) for the user hosts; if the problem occurs on most user
hosts, disable strict ARP learning on the device.

Procedure
● Configuring strict ARP learning globally
a. Run system-view

The system view is displayed.

b. Run arp learning strict

Strict ARP learning is enabled globally.

By default, strict ARP learning is disabled.

● Configuring strict ARP learning on an interface
a. Run system-view

The system view is displayed.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 342

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

b. Run interface interface-type interface-number

The interface view is displayed.

c. (Optional) On an Ethernet interface, run undo portswitch

The interface is switched to Layer 3 mode.

By default, an Ethernet interface works in Layer 2 mode.

NOTE

Only the S5720HI, S5720EI, S6720EI, and S6720S-EI support switching between
Layer 2 and Layer 3 modes.
d. Run arp learning strict { force-enable | force-disable | trust }

Strict ARP learning on the interface is enabled.

By default, strict ARP learning is disabled on the interface.

----End

7.8.9 Configuring ARP Learning Triggered by DHCP

Context
When many DHCP users connect to a network device, the device needs to learn
and maintain many ARP entries. This affects device performance.

To address this issue, configure ARP learning triggered by DHCP on the gateway.
When the DHCP server allocates an IP address for a user, the gateway generates
an ARP entry for the user based on the DHCP ACK packet received on the VLANIF
interface.

NOTE

Before configuring ARP learning triggered by DHCP, ensure that DHCP is enabled using the
dhcp enable command.
When both VRRP and DHCP relay are configured on the network, neither the dhcp
snooping enable command nor the arp learning dhcp-trigger command can be
configured on the VRRP master and backup devices.

You can also deploy DAI to prevent ARP entries of DHCP users from being
modified maliciously.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run interface vlanif vlan-id

The VLANIF interface view is displayed.

Step 3 Run arp learning dhcp-trigger

ARP learning triggered by DHCP is enabled.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 343

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

By default, ARP learning triggered by DHCP is disabled.

----End

7.8.10 Configuring ARP Proxy on a VPLS Network

Context
To prevent bogus ARP packets at the PW side from being broadcast to the AC side
on a VPLS network, enable ARP proxy over VPLS on a PE.

ARP packets at the PW side are sent to the CPU for processing.
● If the ARP packets are ARP Request packets and the destination IP addresses
in the packets match DHCP snooping binding entries, the device constructs
ARP Reply packets based on the DHCP snooping binding entries. The device
then sends the ARP Reply packets to the requester at the PW side.
● If the ARP packets are not ARP Request packets or the destination IP
addresses in the packets do not match a DHCP snooping binding entry, the
device forwards these ARP packets to the destination.

This function works with DHCP snooping over VPLS. For the configuration of
DHCP snooping over VPLS, see 9.6.1 Enabling DHCP Snooping.

NOTE

Only the S5720HI supports this function.

Procedure
Step 1 Run system-view

The system view is displayed.

Step 2 Run arp over-vpls enable

ARP proxy is enabled on the device located on a VPLS network.

By default, ARP proxy is disabled on a device of a VPLS network.

----End

7.8.11 Verifying the ARP Spoofing Attack Defense

Configuration

Procedure
● Run the display arp anti-attack configuration { arp-rate-limit | arp-speed-
limit | entry-check | arpmiss-rate-limit | arpmiss-speed-limit | gateway-
duplicate | log-trap-timer | packet-check | all } command to check the ARP
anti-attack configuration.(Only the S5720EI, S5720HI, S5720SI, S5720S-SI,
S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, S6720S-SI, S6720EI, and
S6720S-EI support arpmiss-rate-limit, arpmiss-speed-limit and gateway-
duplicate.)

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 344

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

● Run the display arp anti-attack configuration check user-bind [ vlan

[ vlan-id ] | interface [ interface-type interface-number ] ] command to check
DAI configuration in a VLAN or on an interface.
● Run the display arp learning strict command to check strict ARP learning
globally and on all VLANIF interfaces.
● Run the display arp anti-attack gateway-duplicate item command to check
the ARP gateway anti-collision entries.
NOTE

Only the S5720HI, S5720EI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-
LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.

----End

7.9 Maintaining ARP Security

7.9.1 Monitoring ARP Running Status

Procedure
● Run the display arp packet statistics command to display ARP packet
statistics.
● Run the display arp anti-attack statistics check user-bind interface
interface-type interface-number command to display statistics on discarded
ARP packets that do not match any binding entry on an interface.
● Run the display arp anti-attack packet-check statistics command to display
statistics on invalid ARP packets that are filtered out in ARP packet validity
check.
● Run the display arp anti-attack arpmiss-record-info [ ip-address ]
command to display information recorded for ARP Miss rate limiting.
NOTE

Only the S5720EI, S5720HI, S5720SI, S5720S-SI, S5730SI, S5730S-EI, S6720LI, S6720S-
LI, S6720SI, S6720S-SI, S6720EI, and S6720S-EI support this command.
● Run the display arp optimized-reply status command to display the status
of the optimized ARP reply function.
● Run the display arp optimized-reply statistics [ slot slot-id ] command to
display statistics on optimized ARP Reply packets.
----End

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 345

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.9.2 Clearing ARP Security Statistics

Context

NOTICE

ARP security statistics cannot be restored after being cleared. Confirm the action
before you use the command.

To clear ARP security statistics, run the following commands in the user view:

Procedure
● Run the reset arp packet statistics command to clear ARP packet statistics.
● Run the reset arp anti-attack statistics check user-bind interface interface-
type interface-number command to clear statistics on ARP packets discarded
for not matching binding entries.
● Run the reset arp anti-attack statistics rate-limit command to clear
statistics on ARP packets discarded when the number of ARP packets exceeds
the limit.
● Run the reset arp optimized-reply statistics [ slot slot-id ] command to
clear statistics on optimized ARP Reply packets.

----End

7.9.3 Configuring the Alarm Function for Potential ARP

Attacks

Context
After rate limiting on ARP packets based on the source IP address is enabled, if the
number of ARP packets the device receives per second exceeds the limit, the
device discards the excess ARP packets. The device considers the excess ARP
packets as potential attacks. The device sends ARP alarms indicating potential
attacks to the NMS. To avoid excessive alarms when ARP attacks occur, reduce the
alarm quantity by setting a proper interval for sending alarms.

NOTE

The configuration takes effect only on the alarm for ARP rate limit based on source IP addresses
(corresponding to arp speed-limit source-ip). The other ARP alarms are generated at a fixed
interval of 5 seconds.

Procedure
Step 1 Run the system-view command to enter the system view.

Step 2 Run the arp anti-attack log-trap-timer time command to set the interval for
sending ARP alarms.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 346

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

The default interval for sending alarms is 0, indicating that the device does not
send ARP alarms.

----End

7.10 Configuration Examples for ARP Security

7.10.1 Example for Configuring ARP Security Functions

Networking Requirements
As shown in Figure 7-11, the switch functioning as the gateway connects to a
server through GE0/0/3 and connects to four users in VLAN 10 and VLAN 20
through GE0/0/1 and GE0/0/2. The following ARP threats exist on the network:
● Attackers send bogus ARP packets or bogus gratuitous ARP packets to the
switch. ARP entries on the switch are modified, leading to packet sending and
receiving failures.
● Attackers send a large number of IP packets with unresolvable destination IP
addresses to the switch, leading to CPU overload.
● User1 sends a large number of ARP packets with fixed MAC addresses but
variable source IP addresses to the switch. As a result, ARP entries on the
switch are exhausted and the CPU cannot process other services.
● User3 sends a large number of ARP packets with fixed source IP addresses to
the switch. As a result, the CPU of the switch is insufficient to process other
services.
The administrator wants to prevent the preceding ARP attacks and provide users
with stable services on a secure network.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 347

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Figure 7-11 Networking for configuring ARP security functions

VLAN 30
VLANIF 30
10.10.10.3/24
10.10.10.2/24 Switch
GE0/0/3
Gateway

GE0/0/1 GE0/0/2
Server
VLANIF 10 VLANIF 20
10.8.8.4/24 10.9.9.4/24

VLAN10 VLAN20

User1 User2 User3 User4

10.8.8.2/24 10.8.8.3/24 10.9.9.2/24 10.9.9.3/24
1-1-1 2-2-2 3-3-3 4-4-4

Configuration Roadmap
The configuration roadmap is as follows:
1. Configure strict ARP learning and ARP entry fixing to prevent ARP entries
from being modified by bogus ARP packets.
2. Configure rate limiting on ARP Miss messages based on source IP addresses.
This function defends against attacks from ARP Miss messages triggered by a
large number of IP packets (ARP Miss packets) with unresolvable IP addresses.
At the same time, the switch must have the capability to process a large
number of ARP Miss packets from the server to ensure network
communication.
3. Configure ARP entry limiting and rate limiting on ARP packets based on
source MAC addresses. These functions defend against ARP flood attacks
caused by a large number of ARP packets with fixed MAC addresses but
variable IP addresses and prevent ARP entries from being exhausted and CPU
overload.
4. Configure rate limiting on ARP packets based on source IP addresses. This
function defends against ARP flood attacks from User3 with a fixed IP address
and prevents CPU overload.

Procedure
Step 1 Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.

# Create VLAN 10, VLAN 20, VLAN 30, and add GE0/0/1 to VLAN 10, GE0/0/2 to
VLAN 20, and GE0/0/3 to VLAN 30.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 348

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

<HUAWEI> system-view
[HUAWEI] sysname Switch
[Switch] vlan batch 10 20 30
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] port link-type trunk
[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 20
[Switch-GigabitEthernet0/0/2] quit
[Switch] interface gigabitethernet 0/0/3
[Switch-GigabitEthernet0/0/3] port link-type trunk
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 30
[Switch-GigabitEthernet0/0/3] quit

# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.
[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.8.8.4 24
[Switch-Vlanif10] quit
[Switch] interface vlanif 20
[Switch-Vlanif20] ip address 10.9.9.4 24
[Switch-Vlanif20] quit
[Switch] interface vlanif 30
[Switch-Vlanif30] ip address 10.10.10.3 24
[Switch-Vlanif30] quit

Step 2 Configure strict ARP learning.

[Switch] arp learning strict

Step 3 Configure ARP entry fixing.

# Set the ARP entry fixing mode to fixed-mac.
[Switch] arp anti-attack entry-check fixed-mac enable

Step 4 Configure rate limiting on ARP Miss messages based on source IP addresses.
# Set the maximum rate of ARP Miss messages triggered by the server (IP address
10.10.10.2) to 40 pps, and set the maximum rate of ARP Miss messages triggered
by other user hosts to 20 pps.
[Switch] arp-miss speed-limit source-ip maximum 20
[Switch] arp-miss speed-limit source-ip 10.10.10.2 maximum 40

Step 5 Configure interface-based ARP entry limiting.

# Configure GE0/0/1 to dynamically learn a maximum of 20 ARP entries.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20
[Switch-GigabitEthernet0/0/1] quit

Step 6 Configure rate limiting on ARP packets based on source MAC addresses.
# Set the maximum rate of ARP packets from User1 with the source MAC address
1-1-1 to 10 pps.
[Switch] arp speed-limit source-mac 1-1-1 maximum 10

Step 7 Configure rate limiting on ARP packets based on source IP addresses.

# Set the maximum rate of ARP packets from User3 with the source IP address
10.9.9.2 to 10 pps.
[Switch] arp speed-limit source-ip 10.9.9.2 maximum 10

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 349

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

Step 8 Verify the configuration.

# Run the display arp learning strict command to check the global configuration
of strict ARP entry learning.
[Switch] display arp learning strict
The global configuration:arp learning strict
Interface LearningStrictState
------------------------------------------------------------
------------------------------------------------------------
Total:0
Force-enable:0
Force-disable:0

# Run the display arp-limit command to check the maximum number of ARP
entries that the interface can dynamically learn.
[Switch] display arp-limit interface gigabitethernet 0/0/1
Interface LimitNum VlanID LearnedNum(Mainboard)
---------------------------------------------------------------------------
GigabitEthernet0/0/1 20 10 0
---------------------------------------------------------------------------
Total:1

# Run the display arp anti-attack configuration all command to check the
configuration of ARP anti-attack.
[Switch] display arp anti-attack configuration all
......
ARP anti-attack entry-check mode:
Vlanif Mode
-------------------------------------------------------------------------------
All fixed-mac
-------------------------------------------------------------------------------
......
ARP speed-limit for source-MAC configuration:
MAC-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
0001-0001-0001 10
Others 0

-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 1, spec is 512.

ARP speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.9.9.2 10
Others 0
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 512.

ARP miss speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.10.10.2/32 40
Others 20
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 512.

# Run the display arp packet statistics command to check statistics on ARP-
based packets.
[Switch] display arp packet statistics
ARP Pkt Received: sum 8678904
ARP-Miss Msg Received: sum 183
ARP Learnt Count: sum 37
ARP Pkt Discard For Limit: sum 146
ARP Pkt Discard For SpeedLimit: sum 40529

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 350

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

ARP Pkt Discard For Proxy Suppress: sum 0

ARP Pkt Discard For Other: sum 8367601
ARP-Miss Msg Discard For SpeedLimit: sum 20
ARP-Miss Msg Discard For Other: sum 104

In the preceding command output, the numbers of ARP packets and ARP Miss
messages discarded by the switch are displayed, indicating that the ARP security
functions have taken effect.

----End

Configuration File
Switch configuration file
#
sysname Switch
#
vlan batch 10 20 30
#
arp learning strict
#
arp-miss speed-limit source-ip 10.10.10.2 maximum 40
arp speed-limit source-ip 10.9.9.2 maximum 10
arp speed-limit source-mac 0001-0001-0001 maximum 10
arp anti-attack entry-check fixed-mac enable
#
arp-miss speed-limit source-ip maximum 20
#
interface Vlanif10
ip address 10.8.8.4 255.255.255.0
#
interface Vlanif20
ip address 10.9.9.4 255.255.255.0
#
interface Vlanif30
ip address 10.10.10.3 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
arp-limit vlan 10 maximum 20
#
interface GigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 20
#
interface GigabitEthernet0/0/3
port link-type trunk
port trunk allow-pass vlan 30
#
return

7.10.2 Example for Configuring Defense Against ARP MITM

Attacks

Networking Requirements
As shown in Figure 7-12, SwitchA connects to the DHCP server through GE0/0/4,
connects to DHCP clients UserA and UserB through GE0/0/1 and GE0/0/2, and
connects to UserC configured with a static IP address through GE0/0/3. GE0/0/1,
GE0/0/2, GE0/0/3, and GE0/0/4 on SwitchA all belong to VLAN 10. The

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 351

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

administrator wants to prevent ARP MITM attacks and theft on authorized user
information, and learn the frequency and range of ARP MITM attacks.

Figure 7-12 Networking diagram for defending against ARP MITM attacks
SwitchB

DHCP Server

GE0/0/4

SwitchA

GE0/0/1
GE0/0/2 GE0/0/3

UserA UserB UserC

IP:10.0.0.2/24
DHCP Client DHCP Client
MAC:1-1-1
VLAN ID:10

Configuration Roadmap
The configuration roadmap is as follows:
1. Enable DAI so that SwitchA compares the source IP address, source MAC
address, interface number, and VLAN ID of the ARP packet with DHCP
snooping binding entries. This prevents ARP MITM attacks.
2. Enable the alarm function for the ARP packets discarded by DAI so that
SwitchA collects statistics on ARP packets that do not match a DHCP
snooping binding entry and generates alarms when the number of discarded
ARP packets exceeds the alarm threshold. The administrator learns the
frequency and range of the current ARP MITM attacks based on the alarms
and the number of discarded ARP packets.
3. Enable DHCP snooping and configure a static binding table to make DAI take
effect.

Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Create VLAN 10, and add GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 to VLAN 10.
<HUAWEI> system-view
[HUAWEI] sysname SwitchA
[SwitchA] vlan batch 10

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 352

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

[SwitchA] interface gigabitethernet 0/0/1

[SwitchA-GigabitEthernet0/0/1] port link-type access
[SwitchA-GigabitEthernet0/0/1] port default vlan 10
[SwitchA-GigabitEthernet0/0/1] quit
[SwitchA] interface gigabitethernet 0/0/2
[SwitchA-GigabitEthernet0/0/2] port link-type access
[SwitchA-GigabitEthernet0/0/2] port default vlan 10
[SwitchA-GigabitEthernet0/0/2] quit
[SwitchA] interface gigabitethernet 0/0/3
[SwitchA-GigabitEthernet0/0/3] port link-type access
[SwitchA-GigabitEthernet0/0/3] port default vlan 10
[SwitchA-GigabitEthernet0/0/3] quit
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/4] quit

Step 2 Enable DAI and the packet discarding alarm function.

# Enable DAI and the packet discarding alarm function on GE0/0/1, GE0/0/2, and
GE0/0/3. GE0/0/1 is used as an example. Configurations of GE0/0/2 and GE0/0/3
are similar to the configuration of GE0/0/1, and are not mentioned here.
[SwitchA] interface gigabitethernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
[SwitchA-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable
[SwitchA-GigabitEthernet0/0/1] quit

Step 3 Configure DHCP snooping.

# Enable DHCP snooping globally.

[SwitchA] dhcp enable
[SwitchA] dhcp snooping enable

# Enable DHCP snooping in VLAN 10.

[SwitchA] vlan 10
[SwitchA-vlan10] dhcp snooping enable
[SwitchA-vlan10] quit

# Configure GE0/0/4 as a trusted interface.

[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] dhcp snooping trusted
[SwitchA-GigabitEthernet0/0/4] quit

# Configure a static binding table.

[SwitchA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface gigabitethernet
0/0/3 vlan 10

Step 4 Verify the configuration.

# Run the display arp anti-attack configuration check user-bind interface

command to check the DAI configuration on each interface. GE0/0/1 is used as an
example.
[SwitchA] display arp anti-attack configuration check user-bind interface gigabitethernet 0/0/1
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable

# Run the display arp anti-attack statistics check user-bind interface command
to check the number of ARP packets discarded based on DAI. GE0/0/1 is used as
an example.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 353

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

[SwitchA] display arp anti-attack statistics check user-bind interface gigabitethernet 0/0/1
Dropped ARP packet number is 966
Dropped ARP packet number since the latest warning is 605

In the preceding command output, the number of discarded ARP packets on

GE0/0/1 is displayed, indicating that the defense against ARP MITM attacks has
taken effect.
When you run the display arp anti-attack statistics check user-bind interface
command for multiple times on each interface, the administrator can learn the
frequency and range of ARP MITM attacks based on the number of discarded ARP
packets.

----End

Configuration File
SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
dhcp snooping enable
user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface GigabitEthernet0/0/3 vlan 10
#
vlan 10
dhcp snooping enable
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 10
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 10
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
#
interface GigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 10
dhcp snooping trusted
#
return

7.11 FAQ About ARP Security

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 354

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.11.1 Why Cannot ARP Entries Be Dynamically Migrated on

the Switch?
If the VLAN IDs, MAC addresses, or interfaces in the ARP entries cannot be
migrated on the switch, check whether an ARP anti-attack policy is configured on
the switch, such as ARP entry fixing configured using the arp anti-attack entry-
check { fixed-mac | fixed-all | send-ack } enable command. ARP entries cannot
be dynamically migrated if this policy is applied.

7.11.2 Strict ARP Learning Is Enabled on the Switch, and a

User Has Learned the Switch's ARP Entry. Why Cannot the
Switch Learn the User ARP Entry by Pinging the User?
After strict ARP entry learning is enabled, the switch learns only from the Reply
packets sent in response to locally originated ARP Request packets.
The firewall installed on a PC may prevent the PC from sending ARP Reply packets
after the PC receives ARP Request packets, or the network adapter cannot reply
with ARP Reply packets. If either of these situations is the case, the switch cannot
receive the Response packet of the ARP Request packet it sends regardless of
whether the switch sends ping packets to the user or the user sends data packets
to the switch to trigger ARP Miss messages. Therefore, the switch cannot learn the
user's ARP entry.
If this problem happens on only a few users, configure static ARP entries for the
users; if the problem happens on most users, disable strict ARP learning on the
switch.

7.11.3 Why Cannot a DAI-enabled Switch Forward Valid ARP

Packets at Line Rate?
In earlier versions of V200R001, a DAI-enabled switch checks ARP packets based
on ACL rules delivered to the chip. Therefore, packets are directly forwarded at line
rate. In V200R001 and later versions, the DAI-enabled switch checks ARP packets
and forwards valid ARP packets using software. The forwarding rate depends on
the CIR value of the ARP packet and CPU usage.

7.11.4 DAI and EAI Are Enabled on a Switch. Why Can the
Switch Forward ARP Packets Sent by Unauthorized Users to
Request MAC Addresses of Authorized Users?
In earlier versions of V200R001, a DAI-enabled switch checks an incoming ARP
packet against the binding table based on ACL rules delivered to the chip. An EAI-
enabled switch sends the packet to the CPU, searches the outbound interface of
the packet in the binding table, and then forwards the packet using software. Both
DAI and EAI are Layer 2 functions, but the ACL rule for sending ARP packets to the
CPU delivered by EAI takes preference over that delivered by DAI. Therefore, DAI
does not check ARP packets and the ARP packets sent by unauthorized users to
request MAC addresses of authorized users can be normally forwarded.
In V200R001 and later versions, a DAI-enabled switch checks ARP packets using
software. This problem does not happen.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 355

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

7.11.5 DAI Is Enabled on a Switch, and the Source MAC

Address of an ARP Packet Is Checked Against the Source MAC
Address in an Ethernet Frame Header. An ARP Packet with its
Source MAC Address Different from that in the Ethernet
Frame Header Can Pass the Check. Why?
In earlier versions of V200R001, a DAI-enabled switch checks ARP packets based
on ACL rules delivered to the chip. However, the ARP packet must be sent to the
CPU, and the check of the source MAC address in the ARP packet and that in the
Ethernet frame header is performed by software. After the DAI check, the packet is
not sent to the CPU, so the source MAC address in the ARP packet and that in the
Ethernet frame header are not checked.

In V200R001 and later versions, a DAI-enabled switch checks ARP packets using
software. The ARP packet with its source MAC address different from that in the
Ethernet frame header is discarded.

7.11.6 Can the IP Address of a VLANIF Interface in a DAI-

enabled VLAN Be Successfully Pinged?
Dynamic ARP Inspection (DAI) is enabled in a VLAN or on a physical interface in
the VLAN, and VLANIF interfaces are configured in the VLAN. To successfully ping
the IP address of the VLANIF interface from the VLAN or the physical interface in
the VLAN, the source IP address of the ping packet must match an entry in the
static DHCP snooping binding table.

7.11.7 Why the S2752/S3700 CPU Usage Is Too High When

Many VLANIF Interfaces Are Configured on the S2752/S3700?
Do not configure many VLANIF interfaces on the S2752/S3700 due to limitations
on specifications and hardware performance. This prevents attacks to the CPU
from numerous ARP packets or ARP Miss messages and overhigh CPU usage.

Run the arp-fake expire-time 30 command in the view of each VLANIF interface
to configure ARP entries and reduce the CPU usage. Besides, you are advised to
load the latest patch.

7.11.8 How Can I Detect Whether ARP Attacks Are Occurring

on the Device?
An ARP attack may have the following symptoms:
● Network access speed is slow, users are disconnected, network access is
frequently interrupted, users cannot access the network, or services are
interrupted.
● The device has a high CPU usage or is disconnected from the NMS, the
attached devices are disconnected from the network, the device frequently
alternates between master and slave states, or its interface indicators blink
fast red.
● Ping responses are delayed, packets are lost, or the ping operation fails.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 356

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

When you locate an ARP attack, first check the links, loops, and routes. After
confirming that they are not the cause, perform the following steps. Saving the
results of each troubleshooting step is recommended. If your troubleshooting fails
to correct the fault, record your actions and provide the record to technical
support personnel.

1. Run the display cpu-defend statistics all command on the gateway to check
the count of dropped ARP Request, ARP Reply, or ARP Miss messages.
– If the count of dropped ARP packets is 0, go to step 2.
– If the count of dropped ARP packets is not 0, the rate of ARP packets has
exceeded the CPCAR rate limit and excess ARP packets are being
discarded.

▪ If a lot of ARP Miss messages are discarded, ARP Miss attacks may
occur on the device. For the detailed troubleshooting procedure, see
7.11.11 How Can I Handle an ARP Learning Failure Caused by
ARP Miss Messages?.

▪ If a lot of ARP Request or Reply packets are discarded, ARP Request

or Reply packet attacks may occur on the device. For the detailed
troubleshooting procedure, see 7.11.14 What Do I Do If the Device
Receives a Large Number of ARP Request or Reply Packets?.
2. Run the display arp all command on the gateway to check the user's ARP
entry.
– If the ARP entry exists, check whether the ARP entry of the user or
gateway has been modified.

▪ If the user's ARP entry on the gateway has been modified, ARP
spoofing gateway attacks are occurring on the device.
1) Obtain packet headers on the interface connecting the device to
the user, and locate the attack source according to the source
addresses of ARP Request packets.
2) Remove viruses or uninstall the attack tool after finding the
attacker. Configure the anti-attack function on the gateway
based on the site requirements.
○ Run the arp static command in the system view to
configure static ARP entries.
If a few users are connected to the device, you can
configure static ARP entries and bind the static ARP entry to
the MAC address and IP address to prevent the IP addresses
from being used by unauthorized users.
○ Run the arp anti-attack entry-check { fixed-mac | fixed-
all | send-ack } enable command in the system view or
interface view to configure fixed ARP.
○ fixed-mac: applies to the scenario where a user has a
fixed MAC address but the user's access location
frequently changes. When the user connects to the
device from different interfaces, the interface
information in the user's ARP entry on the device can
be updated in real time.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 357

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

○ fixed-all: applies to the scenario where a user has a

fixed MAC address and relatively unchanged access
location.
○ send-ack: applies to the scenario where a user's MAC
address and access location frequently change.
○ Configure the blacklist or a blackhole MAC address entry so
that packets from the attack source will be discarded.

▪ If the gateway ARP entry of the user is modified, ARP bogus gateway
attacks occur on the device.
1) Obtain packet headers on the interface connecting the device to
the user, and locate the attack source according to the source
addresses of ARP Request packets.
2) Remove viruses or uninstall the attack tool after finding the
attacker. Configure the anti-attack function on the gateway
based on the site requirements.
○ Configure interface isolation on the downlink interfaces of
the gateway to prevent users in the same VLAN from
receiving ARP attack packets.
○ Run the arp anti-attack gateway-duplicate enable
command in the system view to enable the ARP gateway
anti-collision function, and run the arp gratuitous-arp send
enable command to enable the device to send gratuitous
ARP packets so that the correct gateway address can be
sent to users.
○ Configure the blacklist or a blackhole MAC address entry so
that packets from the attack source will be discarded.

▪ If other users' ARP entries of the user are modified, go to the next
step.
○ Obtain packet headers on the interface connecting the device to
the user, and locate the attack source according to the source
addresses of ARP Request packets.
○ Remove viruses or uninstall the attack tool after finding the
attacker. Configure the anti-attack function on the access device
based on site requirements.
○ Run the arp anti-attack check user-bind enable command
in the interface or VLAN view to enable dynamic ARP
inspection. (The device matches ARP packets against the
binding table.)
Dynamic ARP inspection is used to prevent man-in-the-
middle attacks and theft on authorized user information.
NOTE

This function is applicable only when a binding table is configured.

The device enabled with DHCP snooping generates DHCP snooping
binding entries when DHCP users go online. If a user uses a static IP
address, you need to manually configure a static binding entry for the
user.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 358

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

○ Run the arp anti-attack packet-check { ip | dst-mac |

sender-mac } * command in the system view to enable ARP
packet validity check and specify check items.
○ Configure the blacklist or a blackhole MAC address entry so
that packets from the attack source will be discarded.
– If no ARP entry is displayed, perform the following step:
i. Run the debugging arp packet interface interface-type interface-
number command in the user view to enable the ARP packet
debugging function and check whether the device sends ARP Request
packets and receives ARP Reply packets.
NOTE

In the debugging information, the operation field indicates the protocol

type (1: ARP Request; 2: ARP Reply).
○ If the device does not send an ARP Request packet, rectify the
fault according to 7.11.11 How Can I Handle an ARP Learning
Failure Caused by ARP Miss Messages?.
○ If the device does not receive any ARP Reply packet, the ARP
Reply packets sent by the remote device may be discarded by
the CPCAR mechanism.
○ Run the display cpu-defend statistics packet-type arp-
reply all command in the user view to check whether the
Drop value of ARP Reply packets increases.
If the Drop value keeps increasing, run the car command in
the attack defense policy view to increase the CPCAR value
for ARP Reply packets.

NOTICE

Improper CPCAR settings will affect services on your

network. If you need to adjust CPCAR settings, you are
advised to contact technical support personnel for help.

The attack defense policy can take effect only after it is

applied.
○ Run the display arp anti-attack configuration arp-speed-
limit command in the user view to check that the ARP
packet rate limit is configured.
○ Run the arp speed-limit source-ip [ ip-address ]
maximum maximum command in the system view to
adjust the maximum rate of ARP packets based on
source IP addresses.
○ Run the arp speed-limit source-mac [ mac-address ]
maximum maximum command in the system view to
adjust the maximum rate of ARP packets based on
source MAC addresses.
○ Run the arp anti-attack rate-limit packet packet-
number command in the system view, VLAN view, or

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 359

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

interface view to adjust the maximum rate of ARP

packets.
In versions earlier than V200R003C00, the packet
parameter is not supported on the device and does not
need to be configured.
○ If the device receives ARP Reply packets, go to step 3.
ii. Check that the remote device receives the ARP Request packet and
sends an ARP Reply packet.
If the remote device is a Huawei device, perform the preceding
operations on the device. If the remote device is a non-Huawei
device, see the manual for the device.
3. If the fault persists, collect the following information and contact technical
support personnel:
– Result of the preceding procedure
– Configuration file, logs, and alarms of the device

7.11.9 Can the Device Be Deployed with the ARP Anti-Attack

Function?
Table 7-6 and Table 7-7 describe the ARP anti-attack function that can be
deployed on the device and provides the deployment position.

Table 7-6 Flood attack defense

ARP Anti-Attack Function Function Deployment

Description Position

Based on source Limits the rate of You are advised to

MAC addresses ARP packets, enable this
ensuring that the function on the
Based on source device has gateway.
IP addresses sufficient CPU NOTE
Globally, in a resources to When an access
process other device is enabled
VLAN, and on an with MAC-Forced
interface services when
Forwarding (MFF),
receiving a large the MFF module
number of ARP may forward too
packets. many ARP packets
Rate limit on ARP
with the
packets destination IP
address different
from the IP address
of the interface
receiving these
packets, which
leads to CPU
overload. To
resolve this
problem, limit the
rate of ARP packets
globally, in a VLAN,
or on an interface.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 360

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

ARP Anti-Attack Function Function Deployment

Description Position

Based on source Limits the rate of You are advised to

IP addresses ARP Miss enable this
messages to function on the
Globally, in a defend against gateway.
Rate limit on ARP VLAN, and on an attacks from a
Miss messages interface large number of
IP packets with
unresolvable
destination IP
addresses.

ARP reply optimization This function You are advised to

improves the configure this
stack's capability function on the
of defending stack that is used
against ARP flood as the gateway.
attacks. After ARP
reply optimization
is configured, the
standby/slave
switch directly
returns an ARP
Reply packet
when receiving an
ARP Request
packet of which
the destination IP
address is the
local interface
address.

Strict ARP learning Allows the device You are advised to

to learn only ARP enable this
entries for ARP function on the
Reply packets in gateway.
response to ARP
Request packets
sent by itself. This
prevents ARP
entries from being
exhausted by
invalid ARP
packets.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 361

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

ARP Anti-Attack Function Function Deployment

Description Position

ARP entry limitation Limits the You are advised to

maximum enable this
number of function on the
dynamic ARP gateway.
entries that can
be learned by the
device, preventing
ARP entries from
being exhausted
when a host
connected to the
interface attacks
the device.

Disabling ARP learning on interfaces Disables an You are advised to

interface from enable this
learning ARP function on the
entries, gateway.
preventing ARP
entries from being
exhausted when a
host connected to
the interface
attacks the device.

Table 7-7 Spoofing attack defense

ARP Anti-Attack Function Description Deployment Position
Function

Fixed ARP After the device with this You are advised to
function enabled learns enable this function on
an ARP entry for the first the gateway.
time, it does not modify
the ARP entry, but only
updates part of the
entry, or sends an ARP
Request packet to check
validity of the ARP
packet for updating the
entry.
The device supports
three ARP entry fixing
modes: fixed-all, fixed-
mac, and send-ack.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 362

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

ARP Anti-Attack Function Description Deployment Position

Function

Dynamic ARP inspection Allows a device to You are advised to

compare the source IP enable this function on
address, source MAC an access device.
address, interface NOTE
number, and VLAN ID of When ARP learning
an ARP packet with triggered by DHCP is
DHCP snooping binding enabled on the gateway,
this function can be
entries. If an entry is
enabled on the gateway.
matched, the device
considers the ARP packet
valid and allows the
packet to pass through.
If no entry is matched,
the device considers the
ARP packet invalid and
discards the packet.
This function is available
only for DHCP snooping
scenarios.

ARP gateway anti- Prevents gateway ARP You are advised to

collision entries on hosts from enable this function on
being modified by the gateway.
attackers using bogus
gateway IP addresses.

Gratuitous ARP packet Allows the device used You are advised to
sending as the gateway to enable this function on
periodically send ARP the gateway.
Request packets whose
destination IP address is
the device IP address to
update the gateway
MAC address in ARP
entries. This function
ensures that packets of
authorized users are
forwarded to the
gateway and prevents
hackers from
intercepting these
packets.

MAC address consistency Defends against attacks You are advised to

check in an ARP packet from bogus ARP packets enable this function on
in which the source and the gateway.
destination MAC
addresses are different
from those in the
Ethernet frame header.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 363

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

ARP Anti-Attack Function Description Deployment Position

Function

ARP packet validity Allows the device to You are advised to

check filter out packets with enable this function on
invalid MAC addresses or the gateway or an access
IP addresses. The device device.
checks ARP packets
based on the source
MAC address, destination
MAC address, or IP
address.

Strict ARP learning Allows the device to You are advised to

learn only ARP entries enable this function on
for ARP Reply packets in the gateway.
response to ARP Request
packets sent by itself.
This prevents the device
from incorrectly
updating ARP entries for
the received bogus ARP
packets.

ARP learning triggered Allows the device to You are advised to

by DHCP generate ARP entries enable this function on
based on received DHCP the gateway.
ACK packets. When there
are a large number of
DHCP users, the device
needs to learn many ARP
entries and age them,
affecting device
performance. This
function prevents this
problem.
You can also deploy DAI
to prevent ARP entries of
DHCP users from being
modified maliciously.

7.11.10 What Is ARP Miss?

The device sends an ARP Miss message when the routing table contains the
routing entry that maps the destination IP address of an IP packet, but does not
contain the ARP entry that maps the next hop of the routing entry.
The IP packet that triggers the ARP Miss message is sent to the CPU for
processing. The device generates and delivers a temporary ARP entry based on the
ARP Miss message, and sends an ARP Request packet to the destination network.
If a host sends a large number of IP packets with unresolvable destination IP
addresses (the device has a route to the destination IP address of a packet but has

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 364

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

no ARP entry matching the next hop of the route) to a device, the device sends a
large number of ARP Miss messages and many ARP Request packets to the
destination network, consuming considerable CPU and bandwidth resources.

7.11.11 How Can I Handle an ARP Learning Failure Caused by

ARP Miss Messages?
Such an ARP learning failure is caused by one of the following:
● Because of a small rate limit for ARP Miss messages, the device discards
normal ARP Miss messages and cannot send ARP Request packets to
destination networks according to the ARP Miss messages.
● Because of a small CPCAR value for ARP Miss packets, the device discards
normal ARP Miss packets and cannot send ARP Request packets to
destination networks.
● As the attacker sends lots of network segment scanning packets to the device,
the device triggers a large number of ARP Miss messages, consuming
considerable CPU resources. As a result, the device cannot process normal ARP
Miss messages.

Perform the following steps to rectify the fault. Saving the results of each
troubleshooting step is recommended. If your troubleshooting fails to correct the
fault, record your actions and provide the record to technical support personnel.

1. Run the display arp all command in the user view to check ARP entries.
If the MAC address field in an ARP entry displays Incomplete, the device has
failed to learn this ARP entry. You can obtain IP address and interface
information from the entry.
2. Obtain packet headers on the interface connecting the device to the user, and
analyze the source IP addresses of packets.
3. Run the display cpu-defend statistics packet-type arp-miss all command in
the user view to check whether the Drop value of ARP Miss packets increases.
– If the count of dropped ARP Miss packets is 0, the device has failed to
learn ARP entries because of a small rate limit for ARP Miss messages.
Go to step 5 to increase the rate limit for ARP Miss messages based on
site requirements.
– If the count of dropped ARP Miss packets is not 0, the rate of ARP Miss
packets exceeds the CPCAR rate limit and excess ARP Miss packets are
discarded. Check whether the CPCAR value for ARP Miss packets is set
properly.

▪ If no, go to step 4 to increase the CPCAR value of ARP Miss packets.

▪ If yes, this problem occurs because the attacker is sending lots of

network segment scanning packets to the device. The device then
triggers a large number of ARP Miss messages, consuming
considerable CPU resources and affecting normal message
processing.
Locate the attacker based on the source address. Check whether the
user hosts are infected by viruses and remove the viruses, or add the
source address of attack packets to the blacklist or configure a

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 365

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

blackhole MAC address entry to discard the packets sent by the

attacker.
4. Run the car command in the attack defense policy view to increase the
CPCAR value for ARP Miss packets.

NOTICE

Improper CPCAR settings will affect services on your network. If you need to
adjust CPCAR settings, you are advised to contact technical support personnel
for help.

The attack defense policy can take effect only after it is applied.
If the fault persists or the fault is rectified but CPU usage is still high, go to
step 5 to decrease the rate limit of ARP Miss messages.
5. Run the display arp anti-attack configuration [ arpmiss-speed-limit |
arpmiss-rate-limit ] command in the user view to check configuration of ARP
Miss rate suppression.
– Run the arp-miss speed-limit source-ip [ ip-address ] maximum
maximum command in the system view to configure the maximum rate
of ARP Miss messages sent from a specified source IP address.
– Run the arp-miss anti-attack rate-limit packet packet-number
[ interval interval-value ] command in the system view, VLAN view, or
interface view to configure the rate limiting duration and rate limit value
for ARP Miss messages.
In versions earlier than V200R003C00, the packet and interval
parameters are not supported on the device and do not need to be
configured.
6. If the fault persists, collect the following information and contact technical
support personnel:
– Result of the preceding procedure
– Configuration file, logs, and alarms of the device

7.11.12 How Can ARP Miss Logs and Alarms Be Disabled?

If you do not need ARP Miss logs after eliminating network security risks
according to 7.11.11 How Can I Handle an ARP Learning Failure Caused by ARP
Miss Messages?, run the info-center source SECE channel 4 log state off
command to disable the device from sending log information.
If you do not need ARP Miss alarms after eliminating network security risks
according to 7.11.11 How Can I Handle an ARP Learning Failure Caused by ARP
Miss Messages?, you can disable the alarms.
● ARP Miss alarms based on source IP addresses
– Run the arp-miss speed-limit source-ip [ ip-address ] maximum 0
command in the system view to disable ARP Miss message rate limiting
based on source IP addresses.

▪ If ip-address is not specified, ARP Miss message rate limiting is

disabled for all source IP addresses. If a large number of ARP Miss

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 366

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

messages are generated for a certain source IP address, CPU usage

may be excessively high.

▪ If ip-address is specified, ARP Miss message rate limiting is disabled

for this source IP address. If a large number of ARP Miss messages
are generated for the source IP address, CPU usage may be
excessively high.
– Run the info-center source SECE channel 4 log state off command in
the system view to disable the device from sending SECE alarm
information.
● Global ARP Miss alarms, ARP Miss alarms in a VLAN or on an interface
– Run the undo arp-miss anti-attack rate-limit alarm enable command
globally, in a VLAN, or on an interface to disable the alarm function for
the ARP Miss messages discarded when the rate of ARP Miss messages
exceeds the upper limit.
After the alarm function is disabled, the device will not report an alarm
when the number of discarded ARP Miss messages exceeds the alarm
threshold.
– Run the info-center source SECE channel 4 log state off command in
the system view to disable the device from sending SECE alarm
information.

7.11.13 How Can I Prevent ARP Attacks Targeted at Static

Users?
Static users (for example, dumb terminals such as printers and servers) are
allocated static IP addresses. Attackers usually steal authorized users' IP addresses
to connect to networks and initiate ARP attacks to interrupt network
communication.
To defend against ARP attacks, a static user binding table and dynamic ARP
inspection (DAI) can be configured for static users. DAI checks ARP packets based
on binding entries.
Run the user-bind static command to configure the static user binding table, and
run the arp anti-attack check user-bind enable command to enable DAI.
After the configuration, when a device receives an ARP packet, it compares the
source IP address, source MAC address, interface number, and VLAN ID of the ARP
packet with static binding entries. If the ARP packet matches a binding entry, the
device considers the ARP packet valid and allows the packet to pass through. If the
ARP packet does not match a binding entry, the device considers the ARP packet
invalid and discards the packet.

7.11.14 What Do I Do If the Device Receives a Large Number

of ARP Request or Reply Packets?
When the device receives a large number of ARP Request or Reply packets, the
following symptoms may occur:
● Network access speed is slow, users are disconnected, network access is
frequently interrupted, users cannot access the network, or services are
interrupted.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 367

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

● The device has a high CPU usage or is disconnected from the NMS, or the
attached devices are disconnected from the network.
● Ping responses are delayed, packets are lost, or the ping operation fails.
To resolve the problem, perform the following steps. Saving the results of each
troubleshooting step is recommended. If your troubleshooting fails to correct the
fault, record your actions and provide the record to technical support personnel.
1. Run the display cpu-defend statistics packet-type { arp-request | arp-
reply } all command in the user view to check whether the Drop value of ARP
Request or Reply packets increases.
– If the count of dropped packets is 0, go to step 6.
– If the count of dropped packets is not 0, the rate of ARP Request or Reply
packets has exceeded the CPCAR rate limit and excess packets have been
discarded. Go to step 2.
2. Run the display cpu-usage command in the user view to check the CPU
usage of the device.
– If CPU usage is in the normal range, Go to step 3.
– If CPU usage exceeds 70%, Go to step 5.
3. Run the car command in the attack defense policy view to increase the
CPCAR values for ARP Request or Reply packets.

NOTICE

Improper CPCAR settings will affect services on your network. If you need to
adjust CPCAR settings, you are advised to contact technical support personnel
for help.

Apply the attack defense policy after running the car command. The attack
defense policy can take effect only after it is applied.
After the preceding steps, if the fault persists or the fault is rectified but CPU
usage is high, go to step 4.
4. Obtain packet headers on user-side interfaces of the device, and find the
attacker based on the source addresses of ARP Request or Reply requests
received on these interfaces.
If many ARP Request or Reply packets have the same source MAC or IP
address, the device considers that the host with this source MAC or IP address
is the attack source.
Based on the actual network environment, run the arp speed-limit source-ip
[ ip-address ] maximum maximum command in the system view to decrease
the rate limit of ARP packets based on the source IP address, or run the arp
speed-limit source-mac [ mac-address ] maximum maximum command to
limit the rate of ARP packets based on the source MAC address.
When ARP packet rate limit based on the source IP or MAC address has been
set to a small value (for example, 5 bit/s), determine whether the fault has
been rectified:
– If the fault persists, go to step 5.
– If the fault is rectified but CPU usage is high, configure the blacklist or a
blackhole MAC address entry so that packets from the attack source will

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 368

S1720, S2700, S5700, and S6720 Series Ethernet
Switches
Configuration Guide - Security 7 ARP Security Configuration

be discarded. After the configuration, if CPU usage is still high, go to step

6.
5. Obtain packet headers on user-side interfaces of the device, and find the
attacker based on the source addresses of ARP Request or Reply packets
received on these interfaces.
If a lot of ARP Request or Reply packets are sent from a source address, the
device considers the source address as an attack source. Add the source
address to the blacklist or configure a blackhole MAC address entry to discard
ARP packets sent by the attacker.
If the fault persists, go to step 6.
6. Collect the following information and contact technical support personnel:
– Result of the preceding procedure
– Configuration file, logs, and alarms of the device

7.11.15 Can the Device Prevent ARP Attacks After the ARP
Anti-Attack Function Is Configured?
After the ARP anti-attack function is configured, the device can only reduce the
impact of the ARP attacks. For example:
● ARP Miss message limiting can only reduce the impact of ARP Miss attacks,
but cannot prevent ARP Miss attacks or defend against ARP packet attacks or
ARP spoofing attacks.
● ARP gateway anti-collision can only prevent bogus gateway attacks, but
cannot prevent ARP flood attacks or ARP spoofing gateway attacks.

Issue 12 (2020-11-15) Copyright © Huawei Technologies Co., Ltd. 369