Configuring arp attack protection, Overview, Periodic sending of gratuitous arp packets – H3C Technologies H3C MSR 50 User Manual

360

Configuring ARP attack protection

Overview

ARP is easy to implement, but it provides no security mechanism. Therefore, it is prone to network attacks.

ARP attacks and viruses threaten LAN security. The device can provide the following features to detect
and prevent such attacks.

Periodic sending of gratuitous ARP packets

Enabling a device to periodically send gratuitous ARP packets helps downstream devices update their

corresponding ARP entries or MAC entries in time. This feature can be used to:

•

Prevent gateway spoofing.

•

Prevent ARP entries from being aged out.

•

Prevent the virtual IP address of a VRRP group from being used by a host.

•

Update MAC entries of devices in the VLANs having ambiguous VLAN termination configured.

Configuring ARP automatic scanning and fixed ARP

ARP automatic scanning is typically used together with the fixed ARP feature.

•

With ARP automatic scanning enabled on an interface, the device automatically scans neighbors
on the interface, sends ARP requests to the neighbors, obtains their MAC addresses, and creates

dynamic ARP entries.

•

Fixed ARP allows the device to change the existing dynamic ARP entries (including those generated
through ARP automatic scanning) into static ARP entries.

The ARP automatic scanning and fixed ARP feature effectively prevent ARP entries from being modified

by attackers. Use the two functions in a small-sized network with stable environment, such as a cybercafé.

Configuring periodic sending of gratuitous ARP
packets

From the navigation tree, select Advanced > ARP Anti-Attack > Send Gratuitous ARP.
The Send Gratuitous ARP page appears, as shown in

Figure 366

.