華為交換機ARP安全
session 1 ARP安全
一、配置基於源MAC地址的arp報文限速,防止裝置收到不斷變化的源ip地址的arp攻擊時被耗盡cpu資源
[Huawei]arp speed-limit source-mac maximum 100 限制所有MAC地址報文100個/s
[Huawei]arp speed-limit source-mac 0001-0002-0003 maximum 10 限制單個MAC地址報文10個/s
二、配置基於源ip地址的arp報文限速
[Huawei]arp speed-limit source-ip maximum 100 限制所有ip地址報文100個/s
[Huawei]arp speed-limit source-ip 0001-0002-0003 maximum 10 限制單個ip地址報文10個/s
三、基於埠、vlan或全域性的arp限速
1、基於介面的arp限速
[Huawei]arp anti-attack rate-limit enable 全域性下開啟arp限速功能
[Huawei-GigabitEthernet0/0/1]arp anti-attack rate-limit enable 介面下開啟arp限速功能
[Huawei-GigabitEthernet0/0/1]arp anti-attack rate-limit 200 10 block timer 60 限速10s內允許通過最大200個arp報文,超過丟棄,持續60s(預設是1s)
[Huawei-GigabitEthernet0/0/1]quit
2、基於vlan的arp限速
[Huawei]arp anti-attack rate-limit enable
[Huawei-Vlanif2]arp anti-attack rate-limit enable
[Huawei-Vlanif2]arp anti-attack rate-limit 200 10
[Huawei-Vlanif2]quit
3、基於全域性的arp限速
[Huawei]arp anti-attack rate-limit enable
[Huawei]arp anti-attack rate-limit 200 10
4、防止arp中間人攻擊,與dhcp snooping聯動動態檢測,利用dhcp生成的繫結表項檢查收到的arp報文是否和dhcp的繫結表項一直
[Huawei-GigabitEthernet0/0/1]arp anti-attack check user-bind enable 開啟dhcp snooping的arp檢測
[Huawei-GigabitEthernet0/0/1]arp anti-attack check user-bind alarm enable 開啟dhcp snooping的arp檢測告警功能
[Huawei-GigabitEthernet0/0/1]quit
dhcp snooping的配置也很簡單,配置好dhcp伺服器、地址池後開啟dhcp的snooping功能(思科中預設開啟)
[Huawei]dhcp snooping enable 全域性啟用
[Huawei]vlan 2
[Huawei-vlan2]dhcp snooping enable 在vlan中啟用snooping功能
[Huawei-vlan2]quit
最後記得在交換機級聯的介面上配置snooping信任,允許介面收發dhcp offer報文
[Huawei-GigabitEthernet0/0/1]dhcp snooping trusted 配置埠為dhcp snooping的信任埠,允許介面收發dhcp offer報文
補充,靜態繫結dhcp snooping列表命令:
[Huawei]user-bind static ip-address 1.1.1.1 mac-address 0001-0002-0003 interface g0/0/1 vlan 2
檢視命令:
[Huawei]display arp anti-attack configuration check user-bind interface GigabitEthernet 0/0/1
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
[Huawei]display arp anti-attack statistics check user-bind interface GigabitEthernet 0/0/1
Dropped ARP packet number is 0
Dropped ARP packet number since the latest warning is 0