arp anti-attack gateway-duplicate enable
Function
The arp anti-attack gateway-duplicate enable command enables ARP gateway anti-collision.
The undo arp anti-attack gateway-duplicate enable command disables ARP gateway anti-collision.
By default, ARP gateway anti-collision is disabled.
Only the S5720-EI, S5720-HI, S5720I-SI, S5720S-SI, S5720-SI, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S5735S-S, S5735-S-I, S5730-HI, S5730S-EI, S5730-SI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720-LI, S6720S-EI, S6720S-LI, S6720S-SI, S6720-SI, S6730-H, S6730S-H, S6730-S, and S6730S-S support this command.
Usage Guidelines
Usage Scenario
If an attacker forges the gateway address to send ARP packets with the source IP address being the IP address of the gateway on the LAN, ARP entries on hosts in the LAN record the incorrect gateway address. As a result, all traffic from user hosts to the gateway is sent to the attacker and the attacker intercepts user information. Communication of users is interrupted.
- The source IP address in the ARP packet is the same as the IP address of the VLANIF interface matching the physical inbound interface of the packet.
- The source IP address in the ARP packet is the virtual IP address of the inbound interface but the source MAC address in the ARP packet is not the virtual MAC address of the VRRP group.
Precautions
A maximum of 100 ARP anti-attack entries exist on the device at the same time. When the maximum number is exceeded, the device cannot prevent new ARP gateway collision attacks.