Table 1 and Table 2 describe the ARP anti-attack function that can be deployed on the device and provides the deployment position.
ARP Anti-Attack Function |
Function Description |
Recommended Deployment Position |
|
|---|---|---|---|
Rate limit on ARP packets |
Based on source MAC addresses |
Limits the rate of ARP packets, ensuring that the device has sufficient CPU resources to process other services when receiving a large number of ARP packets. |
On the gateway. NOTE:
When an access device is enabled with MAC-Forced Forwarding (MFF), the MFF module may forward too many ARP packets with the destination IP address different from the IP address of the interface receiving these packets, which leads to CPU overload. To resolve this problem, limit the rate of ARP packets globally, in a VLAN, or on an interface. |
Based on source IP addresses |
|||
Globally, in a VLAN, and on an interface |
|||
Rate limit on ARP Miss messages |
Based on source IP addresses |
Limits the rate of ARP Miss messages to defend against attacks from a large number of IP packets with unresolvable destination IP addresses. |
On the gateway. |
Globally, in a VLAN, and on an interface |
|||
ARP reply optimization |
This function improves the stack's capability of defending against ARP flood attacks. After ARP reply optimization is configured, the standby/slave switch directly returns an ARP Reply packet when receiving an ARP Request packet of which the destination IP address is the local interface address. |
On the stack that is used as the gateway. |
|
Strict ARP learning |
Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents ARP entries from being exhausted by invalid ARP packets. |
On the gateway. |
|
ARP entry limiting |
Limits the maximum number of dynamic ARP entries that can be learned by the device, preventing ARP entries from being exhausted when a host connected to the interface attacks the device. |
On the gateway. |
|
Disabling ARP learning on interfaces |
Disables an interface from learning ARP entries, preventing ARP entries from being exhausted when a host connected to the interface attacks the device. |
On the gateway. |
|
ARP Anti-Attack Function |
Function Description |
Recommended Deployment Position |
|---|---|---|
Fixed ARP |
After the device with this function enabled learns an ARP entry for the first time, it does not modify the ARP entry, but only updates part of the entry, or sends an ARP Request packet to check validity of the ARP packet for updating the entry. The device supports three ARP entry fixing modes: fixed-all, fixed-mac, and send-ack. |
On the gateway. |
Dynamic ARP inspection |
Allows a device to compare the source IP address, source MAC address, interface number, and VLAN ID of an ARP packet with DHCP snooping binding entries. If an entry is matched, the device considers the ARP packet valid and allows the packet to pass through. If no entry is matched, the device considers the ARP packet invalid and discards the packet. This function is available only for DHCP snooping scenarios. |
On an access device. NOTE:
When ARP learning triggered by DHCP is enabled on the gateway, this function can be enabled on the gateway. |
ARP gateway anti-collision |
Prevents gateway ARP entries on hosts from being modified by attackers using bogus gateway IP addresses. |
On the gateway. |
Gratuitous ARP packet sending |
Allows the device used as the gateway to periodically send ARP Request packets whose destination IP address is the device IP address to update the gateway MAC address in ARP entries. This function ensures that packets of authorized users are forwarded to the gateway and prevents hackers from intercepting these packets. |
On the gateway. |
MAC address consistency check in an ARP packet |
Defends against attacks from bogus ARP packets in which the source and destination MAC addresses are different from those in the Ethernet frame header. |
On the gateway. |
ARP packet validity check |
Allows the device to filter out packets with invalid MAC addresses or IP addresses. The device checks ARP packets based on the source MAC address, destination MAC address, or IP address. |
On the gateway or an access device. |
Strict ARP learning |
Allows the device to learn only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This prevents the device from incorrectly updating ARP entries for the received bogus ARP packets. |
On the gateway. |
ARP learning triggered by DHCP |
Allows the device to generate ARP entries based on received DHCP ACK packets. When there are a large number of DHCP users, the device needs to learn many ARP entries and age them, affecting device performance. This function prevents this problem. You can also deploy DAI to prevent ARP entries of DHCP users from being modified maliciously. |
On the gateway. |