What network engineers should know about ARP

Dynamic ARP entry learning

In most cases, devices can dynamically learn and update ARP entries through the ARP protocol. How do devices learn dynamically? In fact, dynamic ARP mainly completes address resolution through the two processes of broadcasting ARP request messages and unicasting ARP reply messages.

For example, Xiao A and Xiao C exchanged IP addresses at a party. As shown in the figure above, when Xiao A needs to communicate with Xiao C, he knows that Xiao C's IP address is 10.1.1.3/24. After judgment, he finds that it is in the same network segment 10.1.1.0/24 as himself, so Xiao A broadcasts an ARP request message to request Xiao C's MAC address.

After receiving the ARP request message, Xiao C will unicast an ARP reply message to tell the other party that his MAC address is 3-3-3. (Xiao B in the same network segment will also receive the ARP request message, but because the destination IP address in the ARP request message is not Xiao B's IP address, Xiao B will not respond.)

After Xiao A receives the ARP reply message, he will add a dynamic entry to his ARP table: IP address 10.1.1.3 corresponds to MAC address 3-3-3, so that Xiao A can communicate with Xiao C.

Note: Due to the limited capacity of the ARP table and to ensure the accuracy of dynamic ARP entries, the PC or switch will age the learned dynamic ARP entries. The dynamic ARP entries on the switch have a certain aging time, the default value is 20 minutes, and it is generally recommended to use the default value.

When the dynamic ARP entry on the device reaches the aging time, the device will send an aging detection message (i.e., ARP request message). If an ARP reply message is received, the dynamic ARP entry is updated and the aging detection ends. If no ARP reply message is received after the set aging detection times, the dynamic ARP entry is deleted and the aging detection ends.

Static ARP entry configuration

For important devices in the network, such as servers, we can configure static ARP entries on the switch. This can prevent the ARP entries corresponding to the IP addresses of important devices on the switch from being incorrectly updated by ARP attack messages, thereby ensuring normal communication between users and important devices.

Static ARP entries will not age and will not be overwritten by dynamic ARP entries. Users can manually configure static ARP entries.

For example, there is an important server in the network, the IP address of the server is 172.16.10.2, and the MAC address is 0023-0045-0067. If the GE1/0/1 interface of the switch connected to the server is in Layer 2 mode and added to VLAN 100, then a corresponding ARP entry can be configured for the server on the switch. The specific configuration is as follows.

 < Quidway > system-view
 [Quidway] vlan batch 100
 [Quidway] interface vlanif 100
 [Quidway-Vlanif100] ip address 172.16.10.1 24 //The IP address of the VLANIF interface must be in the same network segment as the IP address in the static ARP entry (172.16.10.2).
 [Quidway-Vlanif100] quit
 [Quidway] interface gigabitethernet 1/0/1
 [Quidway-GigabitEthernet1/0/1] port link-type access
 [Quidway-GigabitEthernet1/0/1] port default vlan 100 //Interface GigabitEthernet1/0/1 is in Layer 2 mode and needs to be added to VLAN 100.
 [Quidway-GigabitEthernet1/0/1] quit
 [Quidway] arp static 172.16.10.2 0023-0045-0067 vid 100 interface gigabitethernet 1/0/1

For the server above, if the interface connecting the switch to the server is in Layer 3 mode, you can configure static ARP entries on the switch as follows.

 < Quidway > system-view
 [Quidway] interface gigabitethernet 1/0/1
 [Quidway-GigabitEthernet1/0/1] undo portswitch
 [Quidway-GigabitEthernet1/0/1] ip address 172.16.10.1 24 //The IP address of GigabitEthernet1/0/1 must be in the same network segment as the IP address in the static ARP table (172.16.10.2).
 [Quidway-GigabitEthernet1/0/1] quit
 [Quidway] arp static 172.16.10.2 0023-0045-0067 interface gigabitethernet 1/0/1

ARP Proxy

As mentioned above, when a host performs dynamic ARP learning, if it finds that the destination IP address is in the same network segment as itself, it will send a broadcast ARP request message to perform ARP learning. However, in some cases, although the two hosts are in the same network segment, they are not in the same broadcast domain. The destination host cannot receive the ARP request message, and therefore cannot successfully learn the ARP table entry.

After enabling ARP proxy on the switch connecting the two hosts, the switch acts as an intermediary. When Host_1 sends an ARP request message to request the MAC address of Host_2, the switch will tell Host_1 its own MAC address. In this way, the data message sent by Host_1 to Host_2 will be sent to the switch first, and then forwarded to Host_2 by the switch.

For example, in the following three situations, we can use ARP proxy.

Case 1: Hosts Host_1 and Host_2 (no default gateway is configured on the hosts) that need to communicate are in the same network segment but not in the same physical network (that is, not in the same broadcast domain). Because they are in different broadcast domains, Host_2 cannot receive the ARP request message sent by Host_1. In this case, you can enable the routing Proxy ARP function (arp-proxy enable) on the VLANIF10 and VLANIF20 interfaces of the switch to achieve communication between Host_1 and Host_2.

Case 2: Hosts Host_1 and Host_2 that need to communicate are in the same network segment and belong to the same VLAN, but port isolation is configured for interfaces IF_1 and IF_2 in the VLAN. Since the interfaces IF_1 and IF_2 are isolated, Host_2 cannot receive the ARP request message sent by Host_1. In this case, you can enable the intra-VLAN Proxy ARP function (arp-proxy inner-sub-vlan-proxy enable) on the VLANIF interface associated with VLAN10 on the Switch to implement Layer 3 communication between Host_1 and Host_2.

Case 3: Hosts Host_1 and Host_2 that need to communicate are in the same network segment but belong to different VLANs. Since they are not in the same VLAN, Host_2 cannot receive the ARP request message sent by Host_1. In this case, you can enable the inter-VLAN Proxy ARP function (arp-proxy inter-sub-vlan-proxy enable) on the VLANIF30 interface on the Switch that is associated with VLAN10 and VLAN20 to achieve Layer 3 communication between Host_1 and Host_2.

How to ensure ARP table security?

1. Ensure that ARP packets from legitimate users can be sent to the CPU for processing

By default, to ensure the normal operation of the CPU, the switch sets a CPCAR value for each protocol packet sent to the CPU. Packets exceeding the CPCAR value will be discarded. If illegal users send a large number of ARP packets, the ARP packets of legitimate users will not be sent to the CPU, and ARP entries will not be generated normally.

(1) ARP message rate limit function

Limit the rate of ARP packets based on the source MAC address.

 [HUAWEI] arp speed-limit source-mac maximum 10 //For any MAC address, a maximum of 10 ARP packets are allowed to pass per second

Limit the rate of ARP packets based on the source IP address.

 [HUAWEI] arp speed-limit source-ip maximum 10 //For any IP address, a maximum of 10 ARP packets are allowed to pass per second

Limit the ARP packet rate globally.

 [HUAWEI] arp anti-attack rate-limit enable // Enable the ARP rate limit function
 [HUAWEI] arp anti-attack rate-limit packet 200 interval 10 //Specify that the device is allowed to send a maximum of 200 ARP packets within 10 seconds. If the rate exceeds the limit, the packets will be discarded.

Limit the rate of ARP packets based on VLAN.

 [HUAWEI-vlan3] arp anti-attack rate-limit enable // Enable the ARP rate limit function
 [HUAWEI-vlan3] arp anti-attack rate-limit packet 200 interval 10 //Specify VLAN 3 to allow a maximum of 200 ARP packets to be sent within 10 seconds. If the rate exceeds the limit, the packets will be discarded.

Limit the rate of ARP packets based on interfaces.

 [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit enable // Enable the ARP rate limit function
 [HUAWEI-GigabitEthernet0/0/1] arp anti-attack rate-limit packet 200 interval 10 //Specify that GE0/0/1 is allowed to send a maximum of 200 ARP packets within 10 seconds. If the rate exceeds the limit, the packets will be discarded.

(2) ARP Miss message rate limit function

If a user on the network sends a large number of IP packets whose target IP addresses cannot be resolved to the device (that is, there is a routing table entry corresponding to the destination IP of the IP packet in the routing table, but the device does not have an ARP table entry corresponding to the next hop in the routing table entry), the device will trigger a large number of ARP Miss messages. Such IP packets that trigger ARP Miss messages will be sent to the CPU for processing. The device will generate and issue a large number of temporary ARP table entries based on the ARP Miss messages and send a large number of ARP request packets to the destination network, which increases the burden on the device CPU.

By limiting the rate of ARP Miss messages, you can reduce the burden on the device CPU, so that ARP packets from legitimate users are likely to be sent for processing.

ARP Miss message rate limit based on source IP address.

 [HUAWEI] arp-miss speed-limit source-ip maximum 60 //Allow the device to process a maximum of 60 ARP Miss messages triggered by the same source IP address per second

Limit the rate of ARP Miss messages globally. You can also limit the rate of ARP Miss messages based on VLAN or interface.

 [HUAWEI] arp-miss anti-attack rate-limit enable // Enable the ARP Miss rate limit function
 [HUAWEI] arp-miss anti-attack rate-limit packet 200 interval 10 //Specify that the device is allowed to send a maximum of 200 ARP Miss messages within 10 seconds. If the rate exceeds the limit, the packets will be discarded.

(3) Egress ARP detection function

Egress ARP detection reduces the CPU burden by reducing the number of broadcast messages in the VLAN. Its core principle is to find the outbound interface corresponding to the destination IP address according to the DHCP Snooping table, and send the ARP request message directly from the found outbound interface, thereby reducing the number of ARP messages broadcast in the VLAN and thus reducing the CPU burden.

The egress ARP detection function is mainly used to reduce the number of ARP packets processed by the gateway device. As shown in Figure 1, by enabling the egress ARP detection function on the L2switch, the DHCP Snooping binding table can be searched before the L2switch broadcasts the ARP request packet. If the egress interface corresponding to the destination IP address in the ARP packet can be found, the ARP request packet is sent out from the found egress interface, effectively reducing the number of ARP request packets received by the gateway.

The configuration method of the egress ARP detection function is as follows:

 [L2switch] dhcp enable //Enable DHCP function globally
 [L2switch] dhcp snooping enable //Enable DHCP Snooping function globally
 [L2switch] vlan 10
 [L2switch-vlan10] dhcp snooping enable
 [L2switch-vlan10] dhcp snooping arp security enable //Enable the egress ARP detection function

2. Ensure the correctness of ARP entries

(1) Preventing Phishing Gateway Attacks

Provide the following methods to prevent attacks from fake gateways:

The configuration method is as follows:

Configure the gateway to periodically send gratuitous ARP packets.

 [Gateway] arp gratuitous-arp send enable //Enable sending gratuitous ARP packets. The default sending interval is 30 seconds.

Configure ARP gateway conflict prevention detection.

 [Gateway] arp anti-attack gateway-duplicate enable

Configure the ARP gateway protection function.

 [L2switch] interface gigabitethernet 0/0/1
 [L2switch-GigabitEthernet0/0/1] arp filter source 10.1.1.1 //The protected gateway IP address is 10.1.1.1

(2) Prevent attacks by impersonating legitimate users

ARP entry fixation:

• fixed-mac: ARP packets are discarded if the MAC address in the packet does not match the MAC address in the corresponding entry in the ARP table.
• fixed-all: If any of the MAC address, interface, or VLAN information in the ARP packet does not match the information in the ARP entry, the packet is discarded.
• send-ack: When the device receives an ARP message involving a MAC address, VLAN, or interface information modification, it first sends an ARP request message and discards it if no response is received.

Dynamic ARP detection function:

The device will check the IP address, MAC address, VLAN or interface information of the received ARP message against the entry content recorded in the binding table according to the DHCP Snooping binding table. If they do not match, they will be discarded directly.

You can configure ARP entry fixation globally or on an interface.

 [Gateway] arp anti-attack entry-check fixed-mac enable //Specify the fixed mode as fixed-mac

Configure the dynamic ARP inspection function based on interfaces and VLANs.

 [Gateway] vlan 10
 [Gateway-vlan10] arp anti-attack check user-bind enable

3. Ensure that ARP entries for legitimate users can be generated normally

(1) Limit the number of ARP entries that can be learned

When an attacker is found on an interface and occupies a large amount of ARP table resources, the ARP table can be prevented from being exhausted by limiting the number of ARP entries that the interface can learn. When the number of ARP entries learned on the interface reaches the specified limit, the interface will no longer learn new ARP entries.

(2) Strict ARP entry learning

Only the reply message of the ARP request message actively sent by the local device can trigger the local device to perform ARP learning. The ARP message actively sent to the local device by other devices cannot trigger the local device to perform ARP learning.

The configuration method is as follows:

Limit ARP entries.

 [HUAWEI] interface gigabitethernet 0/0/1
 [HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20 //Configure GE0/0/1 to learn a maximum of 20 dynamic ARP entries in VLAN 10.

Configure strict ARP entry learning.

 [HUAWEI] arp learning strict //Configure strict learning of ARP entries

View the ARP table

• To view all ARP entries: display arp all
• To view dynamic ARP entries: display arp dynamic
• To view static ARP entries: display arp static
• To view the ARP table entries of a certain network segment: display arp network xxxx
• To view the ARP entries related to a certain interface: display arp interface xx
• To view the ARP table entries of a VPN instance: display arp vpn-instance xx
• To view the ARP table entry for a specific IP address: display arp all | include xxxx