Strict ARP learning
The device learns the MAC addresses of only the ARP reply packets in response to the ARP request packets sent by itself. This prevents attacks that send ARP request packets and ARP reply packets that are not in response to the request packets that the device itself sends. Strict ARP learning effectively protects the network or devices from bogus clients or gateways.
Validity check on ARP packets
After receiving an ARP packet, the device checks whether the source and destination MAC addresses in the Ethernet header match those in the Data field of the packet. If they match, the device considers the packet valid and allows it to pass. If they do not match, the device considers the packet an attack packet and discards it. Validity check on ARP packets effectively protects the network or devices from malformed ARP packet attacks.
An attacker responds with a forged ARP reply packet to a client so that the client learns an incorrect gateway address.
An attacker sends a forged ARP request packet to the gateway so that the gateway learns incorrect ARP entries.
An attacker sends malformed ARP packets to a device so that the device learns incorrect ARP entries.
Configure strict ARP learning.
If strict ARP learning is configured globally and in the interface view, strict ARP learning configured in the interface view is adopted.
If strict ARP learning is not configured in the interface view, strict ARP learning configured globally is adopted.
<HUAWEI> system-view [~HUAWEI] arp learning strict
<HUAWEI> system-view [~HUAWEI] interface gigabitethernet 0/1/11 [~HUAWEI-GigabitEthernet0/1/11] arp learning strict force-enable
Configure validity check on ARP packets.
If source-mac is specified:
After receiving an ARP Request packet, an interface only checks whether the source MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet.
After receiving an ARP Response packet, an interface only checks whether the source MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet.
If destination-mac is specified:
After receiving an ARP Request packet, an interface does not check whether the destination MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet because ARP packets are broadcast packets.
After receiving an ARP Response packet, an interface only checks whether the destination MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet.
If both source-mac and destination-mac are specified:
After receiving an ARP Request packet, an interface only checks whether the source MAC address in the Ethernet packet header is consistent with that in the Data field of the ARP packet.
After receiving an ARP Response packet, an interface checks whether both the source MAC address and destination MAC address in the Ethernet packet header are respectively the same as those in the Data field of the ARP packet.
<HUAWEI> system-view [~HUAWEI] interface gigabitethernet 0/1/1 [~HUAWEI-GigabitEthernet0/1/1] arp validate source-mac destination-mac
When static ARP is configured on a VLANIF interface, the downstream traffic cannot be forwarded if the user traffic is switched between member interfaces of a VLAN due to topology changes. Therefore, do not specify the outbound interface when configuring static ARP. The outbound interface can be learned by sending ARP packets.
The device can prevent ARP attacks by sending gratuitous ARP packets. However, services will be interrupted, affecting the service quality. If ARP attacks persist, manual intervention is required.
In some scenarios, a device has to learn multicast MAC addresses to generate ARP entries.