Items for checking ARP packets based on binding entries are configured.īy default, the check items consist of IP address, MAC address, VLAN ID, and interface number.
(Optional) In the interface view, run: arp anti-attack check user-bind check-item *.This function is supported only when the MPU is used. Only LAN-side interfaces on the SRU-100H, SRU-200H, SRU-100HH, SRU-400HK, SRU-600HK, SRU-400H, and SRU-600H support this function. Only LAN-side interfaces on the AR6140H-S and AR6140-16G4XG support this function.
After the alarm function is enabled, the device will generate an alarm when the number of discarded ARP packets exceeds a specified threshold. If you want to receive an alarm when a large number of ARP packets are generated, enable the alarm function for the ARP packets discarded by DAI. When DAI is enabled in the VLAN view, the device checks the ARP packets received on all interfaces belonging to the VLAN against binding entries. When DAI is enabled in an interface view, the device checks all ARP packets received on the interface against binding entries. You can enable DAI in the interface view or the VLAN view. If the ARP packet does not match a binding entry, the device considers the ARP packet invalid and discards the packet. If the ARP packet matches a binding entry, the device considers the ARP packet valid and allows the packet to pass through. After DAI is configured, the device compares the source IP address, source MAC address, VLAN ID, and interface number in the received ARP packet with binding entries. If ARP entry fixing is enabled globally, all interfaces have this function enabled by default.Ĭonfiguring DAI on an access device can prevent MITM attacks and theft on authorized users' information. You can configure ARP entry fixing globally. This mode applies to networks where user MAC addresses and user access locations often change. Instead, the device sends a unicast ARP Request packet to the user with the IP address mapped to the original MAC address in the ARP entry, and then determines whether to change the MAC address, VLAN ID, or interface number in the ARP entry depending on the response from the user.
ARPSPOOF EXAMPLE UPDATE
send-ack: When the device receives an ARP packet with a changed MAC address, interface number, or VLAN ID, it does not immediately update the corresponding ARP entry.This mode applies to networks where user MAC addresses and user access locations are fixed. fixed-all: When the MAC address, interface number, and VLAN ID of an ARP packet match those in the corresponding ARP entry, the device updates other information about the ARP entry.When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely. This mode applies to networks where user MAC addresses are unchanged but user access locations often change. If the MAC address in the ARP packet matches that in the corresponding ARP entry while the interface number or VLAN ID does not match that in the ARP entry, the device updates the interface number or VLAN ID in the ARP entry. fixed-mac: When receiving an ARP packet, the device discards the packet if the MAC address does not match that in the corresponding ARP entry.The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive: To defend against ARP address spoofing attacks, configure ARP entry fixing on the gateway.
0 kommentar(er)
