Introduction – H3C Technologies H3C S3100 Series Switches User Manual
Page 965
4
Follow these steps to configure 802.1x-based ARP/IP attack defense:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable using IP-MAC bindings of
authenticated 802.1x clients for ARP
attack detection
ip source static import
dot1x
Required
Disabled by default.
Enter Ethernet port view
interface interface-type
interface-number
—
Enable IP filtering based on IP-MAC
bindings of authenticated 802.1x
clients
ip check dot1x enable
Required
Disabled by default.
z
The IP-MAC bindings of authenticated 802.1x clients are used together with DHCP snooping
entries and static bindings for ARP attack detection.
z
IP filtering based on IP-MAC bindings of authenticated 802.1x clients is mutually exclusive with IP
filtering based on DHCP snooping entries.
z
IP filtering based on IP-MAC bindings of authenticated 802.1x clients does not support link
aggregation.
z
To implement IP filtering based on IP-MAC bindings of authenticated 802.1x clients, the device
assigns an ACL to each of such bindings. If an ACL fails to be assigned to a binding, the
corresponding authenticated 802.1x client is forced to go offline.
z
IP filtering based on IP-MAC bindings of authenticated 802.1x clients requires 802.1x clients to
provide IP addresses; otherwise, the IP addresses of 802.1x clients cannot be obtained. To ensure
IP addresses of DHCP clients can be updated for corresponding IP-MAC entries, you are
recommended to enable 802.1x authentication handshake function; otherwise, you need to disable
802.1x authentication triggered by DHCP, ensuring normal receiving and forwarding of multicast
authentication packets.
Configuring ARP Source MAC Address Consistency Check
Introduction
An attacker may use the IP or MAC address of another host as the sender IP or MAC address of ARP
packets. These ARP packets can cause other network devices to update the corresponding ARP
entries incorrectly, thus interrupting network traffic.
To prevent such attacks, you can configure ARP source MAC address consistency check on S3100-EI
series Ethernet switches (operating as gateways). With this function, the device can verify whether an
ARP packet is valid by checking the sender MAC address of the ARP packet against the source MAC
address in the Ethernet header.
z
If they are consistent, the packet passes the check and the switch learns the ARP entry.