Example for Configuring Static ARP
Networking Requirements
In Figure 1, the Switch allows connections between departments of an enterprise, and the departments are added to different VLANs. Fixed IP addresses have been manually assigned to the file backup server and hosts in the president's office, and dynamic IP addresses have been assigned to hosts in the marketing and R&D departments using DHCP. Hosts in the marketing department can access the Internet and are often attacked by ARP packets. Attackers attack the Switch and modify dynamic ARP entries on the Switch. As a result, communication between hosts in the president's office and external devices is interrupted, and hosts in departments fail to access the file backup server. The company requires that static ARP entries be configured on the Switch to prevent these attacks and ensure normal working service.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure static ARP entries on the Switch for hosts in the president's office to prevent the ARP entries of the hosts from being modified by ARP attack packets.
- Configure a static ARP entry on the Switch for the file backup server to prevent the ARP entry of the file backup server from being modified by ARP attack packets.
Procedure
- Create VLANs on the Switch and configure an IP address for each interface.
# Create VLAN 10, add the interfaces to VLAN 10, and configure an IP address for VLANIF 10.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] vlan batch 10 [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 10.164.1.20 24 [Switch-Vlanif10] quit
# Create VLAN 40, add GE0/0/2 to VLAN 40, and configure an IP address for VLANIF 40.
[Switch] vlan batch 40 [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 40 [Switch-GigabitEthernet0/0/2] quit [Switch] interface vlanif 40 [Switch-Vlanif40] ip address 10.164.10.10 24 [Switch-Vlanif40] quit
# Create VLAN 50, add GE0/0/3 to VLAN 50, and configure an IP address for VLANIF 50.
[Switch] vlan batch 50 [Switch] interface gigabitethernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type access [Switch-GigabitEthernet0/0/3] port default vlan 50 [Switch-GigabitEthernet0/0/3] quit [Switch] interface vlanif 50 [Switch-Vlanif50] ip address 10.164.20.1 24 [Switch-Vlanif50] quit
- Configure static ARP entries on the Switch.
[Switch] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface gigabitethernet 0/0/1 [Switch] arp static 10.164.10.1 0df0-fc01-003a vid 40 interface gigabitethernet 0/0/2
- Verify the configuration.
# Run the display arp static command to verify the configured static ARP entries.
[Switch] display arp static IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN/CEVLAN(SIP/DIP) ------------------------------------------------------------------------------ 10.164.1.1 00e0-fc01-0001 S-- GE0/0/1 10/- 10.164.10.1 0df0-fc01-003a S-- GE0/0/2 40/- ------------------------------------------------------------------------------ Total:2 Dynamic:0 Static:2 Interface:0
# Ping the IP address 10.164.20.2/24 of the interface on the Router connecting to the Switch from a host (for example, using the IP address 10.164.1.1/24 and Windows 7 operating system) in the president's office. The ping succeeds.
C:\Documents and Settings\Administrator> ping 10.164.20.2 Pinging 10.164.20.2 with 32 bytes of data: Reply from 10.164.20.2: bytes=32 time=1ms TTL=128 Reply from 10.164.20.2: bytes=32 time=1ms TTL=128 Reply from 10.164.20.2: bytes=32 time=1ms TTL=128 Reply from 10.164.20.2: bytes=32 time=1ms TTL=128 Ping statistics for 10.164.20.2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms# Ping the IP address 10.164.10.10/24 of the file backup server from a host (for example, using the IP address 10.164.2.100/24 and Windows 7 operating system) in the marketing department. The ping succeeds.
C:\Documents and Settings\Administrator> ping 10.164.10.10 Pinging 10.164.10.10 with 32 bytes of data: Reply from 10.164.10.10: bytes=32 time=1ms TTL=125 Reply from 10.164.10.10: bytes=32 time=1ms TTL=125 Reply from 10.164.10.10: bytes=32 time=1ms TTL=125 Reply from 10.164.10.10: bytes=32 time=1ms TTL=125 Ping statistics for 10.164.10.10: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms# Ping the IP address 10.164.10.10/24 of the file backup server from a host (for example, using the IP address 10.164.3.100/24 and Windows 7 operating system) in the R&D department. The ping succeeds.
C:\Documents and Settings\Administrator> ping 10.164.10.10 Pinging 10.164.10.10 with 32 bytes of data: Reply from 10.164.10.10: bytes=32 time=1ms TTL=125 Reply from 10.164.10.10: bytes=32 time=1ms TTL=125 Reply from 10.164.10.10: bytes=32 time=1ms TTL=125 Reply from 10.164.10.10: bytes=32 time=1ms TTL=125 Ping statistics for 10.164.10.10: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 1ms, Maximum = 1ms, Average = 1ms
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10 40 50
#
interface Vlanif10
ip address 10.164.1.20 255.255.255.0
#
interface Vlanif40
ip address 10.164.10.10 255.255.255.0
#
interface Vlanif50
ip address 10.164.20.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 40
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 50
#
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface GigabitEthernet0/0/1
arp static 10.164.10.1 0df0-fc01-003a vid 40 interface GigabitEthernet0/0/2
#
return