Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure the Basic Functions of AARF ARP-GUARD

Network Requirements

  • PC1, PC2, and PCs are connected to IP Network via Device.
  • PC1 sends the ARP packet to attack Device, Device enables AARF ARP-Guard, Device normally identifies the ARP overspeed, ARP attack, ARP MAC scan, ARP MAC-IP Scan, and the AARF ARP-Guard policy normally takes effect.

Network Topology

Networking for configuring the ARP guard function

Figure 18–1 Networking for configuring the ARP guard function

Configuration Steps

Step 1: Configure the VLAN and port link type on Device.

#Create VLAN2.

Device#configure terminal
Device(config)#vlan 2
Device(config-vlan2)#exit

#Configure the link type of port tengigabitethernet0/1, tengigabitethernet0/2, and tengigabitethernet0/3 as Access, permitting the services of VLAN2 to pass.

Device(config)#interface tengigabitethernet 0/1-0/3
Device(config-if-range)#switchport mode access
Device(config-if-range)#switchport access vlan 2

Step 2: Configure the gateways of PC1, PC2, and PC3 on Device.

#Configure VLAN interface 2 as the gateway of PC1, PC2, and PC3.

Device(config)#interface vlan 2
Device(config-if-vlan2)#ip address 192.168.1.254 24

Step 3: Enable AARF ARP-Guard on Device.

#Enable AARF ARP-Guard globally.

Device(config)#aarf
Device(config-aarf)#arp-guard enable

#Enable AARF ARP-Guard on port tengigabitethernet0/1, the related thresholds are the default values, and configure the policy as filter.

Device(config-if-tengigabitethernet0/1)# aarf arp-guard enable
Device(config-if-tengigabitethernet0/1)# aarf arp-guard policy filter

Step 4: Check the result.

#Query the AARF ARP-Guard configuration information.

Device#show aarf arp-guard configure interface tengigabitethernet 0/1 
(Format of column Rate-limit and Attack-threshold is per-src-ip/per-src-mac/per-interface.)
------------------------------------------------------------------------------------------- 
Interface/Global  Status    Rate-limit   Attack-threshold   Scan-threshold  Attack-policy
-------------------------------------------------------------------------------------------   
te0/1             Enabled   4/4/100      8/8/200            15              filter    

#When the rate of PC1 sending the ARP Request packet for requesting Device Gateway IP address is larger than or equal to the host-based speed limit threshold 4pps and less than the host-based attack threshold 8pps, form the related table entries and output the log information. Device recognizes that the host-based ARP packet is overspeed.

Device#show aarf arp-guard hosts
--------------------------------------------------------------------
Interface	Vlan  IP    	 	MAC   	 	     Action	     Policy          
--------------------------------------------------------------------
te0/1       2     192.168.1.1   -                overspeed   monitor
te0/1       2     -             0012.1011.0001   overspeed   monitor
Total: 2 record(s).

#The output log is:

Dec 20 2016 03:45:28: %AARF-INTERFACE-3:There are overspeed, attack or scan detected on interface te0/1.(TUE DEC 20 03:45:25 2016) 
Dec 20 2016 03:45:28: %AARF-DETECTED-3:Host overspeed was detected.(TUE DEC 20 03:45:25 2016) 
Dec 20 2016 03:45:28: %AARF-DETECTED-3:Host overspeed was detected.(TUE DEC 20 03:45:25 2016)

#When the rate of PC1 sending the ARP Request packet for requesting Device Gateway IP address is larger than the host-based attack threshold 8pps, Device filters the ARP packet, forms the related table entries, and outputs the log information. Device identifies the host-based ARP packet attack.

Device#show aarf arp-guard hosts 
---------------------------------------------------------------
Interface  Vlan   IP    	 	MAC   	 	    Action	 Policy
---------------------------------------------------------------          
te0/1      2      192.168.1.1   - 	 	 	 	attack   filter  
te0/1	   2      - 	 	    0012.1011.0001 	attack	 filter
Total: 2 record(s).

#The output log is:

Dec 20 2016 04:30:33: %AARF-INTERFACE-3:There are overspeed, attack or scan detected on interface te0/1.(TUE DEC 20 04:30:30 2016) 
Dec 20 2016 04:30:33: %AARF-FILTER-3:Host attack was filter.(TUE DEC 20 04:30:30 2016) 
Dec 20 2016 04:30:33: %AARF-FILTER-3:Host attack was filter.(TUE DEC 20 04:30:30 2016)

#When PC1 sends various non-attack ARP Request packets, and the sending rate is larger than or equal to the port-based speed limit threshold 100 and smaller than the port-based attack threshold 200, Device forms the related table entries and outputs the log information. Device identifies the port-based ARP overspeed.

Device#show aarf arp-guard ports  
---------------------------------------------
Interface   Hosts 	Scan  Action     Policy  
---------------------------------------------        
te0/1    	0    	0 	  overspeed	 monitor         

#The output log is:

Dec 22 2016 06:36:32: %AARF-INTERFACE-3:Interface te0/1 was overspeed.(THU DEC 22 06:36:29 2016)

#When PC1 sends various non-attack ARP Request packets, and the sending rate is larger than or equal to the port-based attack threshold 200, Device filters all ARP packets of the port, forms the related table entries and outputs the log information.

Device identifies the port-based ARP attack.

Device#show aarf arp-guard ports  
-------------------------------------------
Interface 	 Hosts 	 Scan  Action    Policy          	
-------------------------------------------									 
te0/1    	 0 	 	 0 	   attack    filter          	

#The output log is:

Dec 22 2016 06:46:58: %AARF-INTERFACE-3:Interface te0/1 was filter.(THU DEC 22 06:46:57 2016)

#When PC1 sends the ARP Request packet with the fixed MAC and increasing Sender IP, and the number of the ARP Request packets sent within 10s exceeds 15, form the related table entries, and output the log information. Device identifies the ARP MAC scanning.

Device#show aarf arp-guard scan
-----------------------------------------------------------
Interface   Vlan  IP           MAC               Time-stamp
-----------------------------------------------------------                
te0/1       2     N/A          0012.1011.0001    THU DEC 22 03:16:30 2016 Total: 1 record(s).

#The output log is:

Dec 22 2016 03:16:19: %AARF-INTERFACE-3:There are overspeed, attack or scan detected on interface te0/1.(THU DEC 22 03:16:16 2016) 
Dec 22 2016 03:16:19: %AARF-SCAN-4:Host scan was detected.(THU DEC 22 03:16:16 2016)

#When PC1 sends the ARP Request packet with the fixed MAC and Sender IP, and the increasing Target IP, and the number of the ARP Request packets sent within 10s exceeds 15, form the related table entries, and output the log information. Device identifies the ARP MAC-IP scanning.

Device#show aarf arp-guard scan  
------------------------------------------------------------
Interface	Vlan  IP    	 	 MAC   	 	 	 Time-stamp                
------------------------------------------------------------
te0/1	    2	  192.168.1.254  0012.1011.0001  THU DEC 22 03:38:52 2016 Total: 1 record(s).

#The output log is:

Dec 22 2016 03:37:33: %AARF-INTERFACE-3:There are overspeed, attack or scan detected on interface te0/1.(THU DEC 22 03:37:30 2016) 
Dec 22 2016 03:37:33:%AARF-SCAN-4:Host scan was detected.(THU DEC 22 03:37:30 2016)