Home » 3Com Manuals » Hubs & Switches » 3Com 2928 » Manual Viewer

3Com 2928 User Guide - Page 349

ARP Attack Defense Configuration, ARP Detection, Introduction to ARP Detection

UPC - 662705557113

Add to My Manuals
Save this manual to your list of manuals

Page 349 highlights

2 ARP Attack Defense Configuration Although ARP is easy to implement, it provides no security mechanism and thus is prone to network attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide multiple features to detect and prevent such attacks. This chapter mainly introduces these features. ARP Detection Introduction to ARP Detection The ARP detection feature allows only the ARP packets of authorized clients to be forwarded, hence preventing man-in-the-middle attacks. Man-in-the-middle attack According to the ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the sender to its ARP mapping table. This design reduces the ARP traffic on the network, but also makes ARP spoofing possible. As shown in Figure 2-1, Host A communicates with Host C through a switch. After intercepting the traffic between Host A and Host C, a hacker (Host B) forwards forged ARP replies to Host A and Host C respectively. Upon receiving the ARP replies, the two hosts update the MAC address corresponding to the peer IP address in their ARP tables with the MAC address of Host B (MAC_B). After that, Host B establishes independent connections with Host A and Host C and relays messages between them, deceiving them into believing that they are talking directly to each other over a private connection, while the entire conversation is actually controlled by Host B. Host B may intercept and modify the communication data. Such an attack is called a man-in-the-middle attack. 2-1

Section	Page
00-Cover.pdf	1
Command conventions	5
GUI conventions	5
Symbols	5
01-Overview.pdf	7
1 Overview	8
2 Configuration Through the Web Interface	9
Web-Based Network Management Operating Environment	9
Logging In to the Web Interface	9
Default Login Information	9
Example	10
Logging Out of the Web Interface	11
Introduction to the Web Interface	11
Web User Level	12
Introduction to the Web-Based NM Functions	12
Introduction to the Controls on the Web Pages	19
Apply button	19
Cancel button	19
Search button	19
Refresh button	20
Clear button	20
Remove button	20
Select All button	20
Select None button	20
Restore button	20
Expand button	20
icon	20
icon	20
Help button	20
Sort display	21
Configuration Guidelines	21
3 Configuration Through the Command Line Interface	23
Getting Started with the Command Line Interface	23
Setting Up the Configuration Environment	23
Setting Terminal Parameters	24
Logging In to the CLI	28
CLI Commands	28
initialize	28
ipsetup	29
password	30
ping	30
quit	31
reboot	31
summary	32
upgrade	33
Configuration Example for Upgrading the Host Software Through the CLI	34
Network requirements	34
Configuration procedure	34
02-Configuration Wizard.pdf	36
1 Configuration Wizard	37
Overview	37
Basic Service Setup	37
Entering the Configuration Wizard Homepage	37
Configuring System Parameters	37
Configuring Management IP Address	39
Finishing Configuration Wizard	40
03-IRF Configuration.pdf	42
1 IRF	43
IRF Overview	43
Introduction to Stack	43
Establishing a Stack	43
Configuring an IRF Stack	44
Configuration Task List	44
Configuring Global Parameters of a Stack	45
Configuring Stack Ports	46
Displaying Topology Summary of a Stack	46
Displaying Device Summary of a Stack	47
Logging Into a Slave Device From the Master	47
IRF Stack Configuration Example	48
Network requirements	48
Configuration procedure	48
Configuration Guidelines	53
04-Summary.pdf	54
1 Summary	55
Overview	55
Displaying Device Summary	55
Displaying System Information	55
Basic system information	56
System resource state	56
Recent system operation logs	56
Displaying Device Information	56
05-Device Basic Information Configuration.pdf	58
1 Device Basic Information Configuration	59
Overview	59
Configuring Device Basic Information	59
Configuring System Name	59
Configuring Idle Timeout Period	59
06-System Time Configuration.pdf	61
1 System Time Configuration	62
Overview	62
Configuring System Time	62
System Time Configuration Example	63
Network requirements	63
Configuration procedure	64
Configuration Guidelines	64
07-Log Management Configuration.pdf	66
1 Log Management	67
Overview	67
Configuring Log Management	67
Configuration Task List	67
Setting Syslog Related Parameters	67
Displaying Syslog	68
Setting Loghost	70
08-Configuration Management Configuration.pdf	71
1 Configuration Management	72
Back Up Configuration	72
Restore Configuration	72
Save Configuration	73
Initialize	74
09-Device Maintenance.pdf	75
1 Device Maintenance	76
Software Upgrade	76
Device Reboot	77
Electronic Label	78
Diagnostic Information	78
10-File Management Configuration.pdf	80
1 File Management	81
Overview	81
File Management Configuration	81
Displaying File List	81
Downloading a File	81
Uploading a File	82
Removing a File	82
11-Port Management Configuration.pdf	83
1 Port Management Configuration	84
Overview	84
Configuring a Port	84
Setting Operation Parameters for a Port	84
Viewing the Operation Parameters of a Port	88
Port Management Configuration Example	89
Network requirements	89
Configuration procedure	90
12-Port Mirroring Configuration.pdf	93
1 Port Mirroring Configuration	94
Introduction to Port Mirroring	94
Implementing Port Mirroring	94
Local port mirroring	94
Configuring Port Mirroring	94
Configuration Task List	94
Configuring local port mirroring	94
Creating a Mirroring Group	95
Configuring Ports for a Mirroring Group	96
Configuration Examples	97
Local Port Mirroring Configuration Example	97
Network requirements	97
Configuration procedure	97
Configuration Guidelines	100
13-User Management Configuration.pdf	101
1 User Management	102
Overview	102
Users	102
Creating a User	102
Setting the Super Password	103
Switching the User Access Level to the Management Level	104
14-Loopback Test Configuration.pdf	106
1 Loopback Test Configuration	107
Overview	107
Loopback Operation	107
Configuration Guidelines	108
15-VCT.pdf	109
1 VCT	110
Overview	110
Testing Cable Status	110
16-Flow Interval Configuration.pdf	112
1 Flow Interval Configuration	113
Overview	113
Monitoring Port Traffic Statistics	113
Setting the Traffic Statistics Generating Interval	113
Viewing Port Traffic Statistics	113
17-Storm Constrain Configuration.pdf	115
1 Storm Constrain Configuration	116
Overview	116
Configuring Storm Constrain	116
Setting the Traffic Statistics Generating Interval	116
Configuring Storm Constrain	117
18-RMON Configuration.pdf	120
1 RMON	121
RMON Overview	121
Working Mechanism	121
RMON Groups	122
Statistics group	122
History group	122
Alarm group	122
Event group	122
Configuring RMON	123
Configuration Task List	123
Configuring the RMON statistics function	123
Configuring the RMON alarm function	124
Displaying RMON running status	124
Configuring a Statistics Entry	125
Configuring a History Entry	126
Configuring an Event Entry	127
Configuring an Alarm Entry	127
Displaying RMON Statistics Information	129
Displaying RMON History Sampling Information	131
Displaying RMON Event Logs	133
RMON Configuration Example	133
Network requirements	133
Configuration procedure	133
19-Energy Saving Configuration.pdf	138
1 Energy Saving Configuration	139
Overview	139
Configuring Energy Saving on a Port	139
20-SNMP Configuration.pdf	141
1 SNMP	142
SNMP Overview	142
SNMP Mechanism	142
SNMP Protocol Version	142
MIB Overview	143
MIB	143
Subtree OID	143
Subtree mask	144
SNMP Configuration	144
Configuration Task List	144
Configuring SNMPv1 or SNMPv2c	144
Configuring SNMPv3	145
Enabling SNMP	145
Configuring an SNMP View	146
Creating an SNMP view	147
Adding rules to an SNMP view	148
Configuring an SNMP Community	148
Configuring an SNMP Group	149
Configuring an SNMP User	151
Configuring SNMP Trap Function	152
SNMP Configuration Example	154
Network requirements	154
Configuration procedure	154
Configuration verification	158
21-Interface Statistics.pdf	159
1 Interface Statistics	160
Overview	160
Displaying Interface Statistics	160
22-VLAN Configuration.pdf	162
1 VLAN Configuration	163
Overview	163
Introduction to VLAN	163
How VLAN Works	163
VLAN Types	164
Introduction to Port-Based VLAN	165
Port link type	165
Default VLAN (PVID)	165
Configuring a VLAN	166
Configuration Task List	166
Creating VLANs	166
Selecting VLANs	167
Modifying a VLAN	168
Modifying Ports	170
VLAN Configuration Example	171
Network requirements	171
Configuration procedure	171
Configuration Guidelines	175
23-VLAN Interface Configuration.pdf	176
1 VLAN Interface Configuration	177
Overview	177
Configuring VLAN Interfaces	177
Configuration Task List	177
Creating a VLAN Interface	177
Modifying a VLAN Interface	179
24-Voice VLAN Configuration.pdf	181
1 Voice VLAN Configuration	182
Overview	182
Voice VLAN Assignment Modes	182
Security Mode and Normal Mode of Voice VLANs	184
Configuring the Voice VLAN	185
Configuration Task List	185
Configuring voice VLAN on a port in automatic voice VLAN assignment mode	185
Configuring voice VLAN on a port working in manual voice VLAN assignment mode	185
Configuring Voice VLAN Globally	186
Configuring Voice VLAN on a Port	187
Adding OUI Addresses to the OUI List	188
Voice VLAN Configuration Examples	189
Configuring Voice VLAN on a Port in Automatic Voice VLAN Assignment Mode	189
Network requirements	189
Configuration procedure	189
Verify the configuration	193
Configuring a Voice VLAN on a Port in Manual Voice VLAN Assignment Mode	194
Network requirements	194
Configuration procedure	194
Verify the configuration	199
Configuration Guidelines	199
25-MAC Address Configuration.pdf	201
1 MAC Address Configuration	202
Overview	202
Configuring MAC Addresses	203
Configuring a MAC Address Entry	203
Setting the Aging Time of MAC Address Entries	205
MAC Address Configuration Example	206
Network requirements	206
Configuration procedure	206
26-MSTP Configuration.pdf	207
1 MSTP Configuration	208
Overview	208
Introduction to STP	208
Protocol Packets of STP	208
Basic Concepts in STP	208
Root bridge	208
Root port	209
Designated bridge and designated port	209
Path cost	209
How STP Works	210
Calculation process of the STP algorithm	210
The BPDU forwarding mechanism in STP	215
STP timers	215
Introduction to RSTP	216
Introduction to MSTP	216
Why MSTP	216
Weaknesses of STP and RSTP	216
Features of MSTP	216
Basic Concepts in MSTP	217
MST region	217
VLAN-to-MSTI mapping table	218
IST	218
CST	218
CIST	218
MSTI	218
Regional root bridge	218
Common root bridge	219
Boundary port	219
Roles of ports	219
Port states	220
How MSTP Works	221
CIST calculation	221
MSTI calculation	221
Implementation of MSTP on Devices	221
Protocols and Standards	222
Configuring MSTP	222
Configuration Task List	222
Configuring an MST Region	222
Configuring MSTP Globally	223
Configuring MSTP on a Port	226
Displaying MSTP Information of a Port	228
MSTP Configuration Example	230
Network requirements	230
Configuration procedure	231
Guidelines	235
27-Link Aggregation and LACP Configuration.pdf	237
1 Link Aggregation and LACP Configuration	238
Overview	238
Basic Concepts of Link Aggregation	238
Aggregate interface	238
Aggregation group	238
States of the member ports in an aggregation group	238
LACP protocol	239
Operational key	239
Class-two configurations	239
Link Aggregation Modes	240
Static aggregation mode	240
Dynamic aggregation mode	240
Load Sharing Mode of an Aggregation Group	241
Configuring Link Aggregation and LACP	241
Configuration Task List	241
Configuring a static aggregation group	241
Configuring a dynamic aggregation group	242
Creating a Link Aggregation Group	242
Displaying Information of an Aggregate Interface	244
Setting LACP Priority	244
Displaying Information of LACP-Enabled Ports	245
Link Aggregation and LACP Configuration Example	247
Network requirements	247
Configuration procedure	248
Configuration Guidelines	249
28-LLDP Configuration.pdf	251
1 LLDP	252
Overview	252
Background	252
Basic Concepts	252
LLDPDUs	252
LLDPDUs	253
TLVs	254
LLDP-MED TLVs	255
Management address	256
Operating Modes of LLDP	256
How LLDP Works	256
Transmitting LLDPDUs	256
Receiving LLDPDUs	257
Compatibility of LLDP with CDP	257
Protocols and Standards	257
Configuring LLDP	257
LLDP Configuration Task List	257
Enabling LLDP on Ports	258
Configuring LLDP Settings on Ports	259
Configuring Global LLDP Setup	263
Displaying LLDP Information for a Port	265
Displaying Global LLDP Information	270
Displaying LLDP Information Received from LLDP Neighbors	271
LLDP Configuration Examples	271
LLDP Basic Settings Configuration Example	271
Network requirements	271
Configuration procedure	272
Configuration verification	275
CDP-Compatible LLDP Configuration Example	276
Network requirements	276
Configuration procedure	276
Configuration verification	281
LLDP Configuration Guidelines	281
29-IGMP Snooping Configuration.pdf	282
1 IGMP snooping	283
Overview	283
Principle of IGMP Snooping	283
IGMP Snooping Related Ports	283
Work Mechanism of IGMP Snooping	284
When receiving a general query	285
When receiving a membership report	285
When receiving a leave group message	285
Protocols and Standards	286
Configuring IGMP Snooping	286
Configuration Task List	286
Enabling IGMP snooping Globally	287
Configuring IGMP Snooping in a VLAN	288
Configuring IGMP Snooping Port Functions	289
Display IGMP Snooping Multicast Entry Information	290
IGMP Snooping Configuration Examples	291
Network requirements	291
Configuration procedure	292
Configuration verification	296
30-Routing Configuration.pdf	298
1 Routing Configuration	299
Overview	299
Routing Table	299
Static Route	299
Default Route	300
Configuring IPv4 Routing	300
Displaying the IPv4 Active Route Table	300
Creating an IPv4 Static Route	301
Static Route Configuration Examples	302
Network requirements	302
Configuration outlines	302
Configuration procedure	302
Verify the configuration	305
Precautions	306
31-DHCP Configuration.pdf	307
1 DHCP Overview	308
Introduction to DHCP	308
DHCP Address Allocation	308
Allocation Mechanisms	308
Dynamic IP Address Allocation Process	309
IP Address Lease Extension	310
DHCP Message Format	310
DHCP Options	311
DHCP Options Overview	311
Introduction to DHCP Options	311
Introduction to Option 82	311
Protocols and Standards	312
2 DHCP Relay Agent Configuration	313
Introduction to DHCP Relay Agent	313
Application Environment	313
Fundamentals	313
DHCP Relay Agent Configuration Task List	314
Enabling DHCP and Configuring Advanced Parameters for the DHCP Relay Agent	315
Creating a DHCP Server Group	316
Enabling the DHCP Relay Agent on an Interface	317
Configuring and Displaying Clients' IP-to-MAC Bindings	318
DHCP Relay Agent Configuration Example	318
Network requirements	318
Configuration procedure	319
3 DHCP Snooping Configuration	322
DHCP Snooping Overview	322
Functions of DHCP Snooping	322
Recording IP-to-MAC mappings of DHCP clients	322
Ensuring DHCP clients to obtain IP addresses from authorized DHCP servers	322
Application Environment of Trusted Ports	323
Configuring a trusted port connected to a DHCP server	323
Configuring trusted ports in a cascaded network	323
DHCP Snooping Support for Option 82	324
DHCP Snooping Configuration Task List	324
Enabling DHCP Snooping	325
Configuring DHCP Snooping Functions on an Interface	326
Displaying Clients' IP-to-MAC Bindings	326
DHCP Snooping Configuration Example	327
Network requirements	327
Configuration procedure	327
32-Service Management Configuration.pdf	331
1 Service Management	332
Overview	332
FTP service	332
Telnet service	332
SSH service	332
SFTP service	332
HTTP service	332
HTTPS service	332
Configuring Service Management	333
33-Diagnostic Tools.pdf	335
1 Diagnostic Tools	336
Overview	336
Ping	336
Trace Route	336
Diagnostic Tool Operations	337
Ping Operation	337
Trace Route Operation	338
34-ARP Configuration.pdf	339
1 ARP Management	340
ARP Overview	340
ARP Function	340
ARP Message Format	340
ARP Operation	341
ARP Table	341
Dynamic ARP entry	341
Static ARP entry	342
Managing ARP Entries	342
Displaying ARP Entries	342

Match case Limit results 1 per page

2-1

ARP Attack Defense Configuration

Although ARP is easy to implement, it provides no security mechanism and thus is prone to network

attacks. Currently, ARP attacks and viruses are threatening LAN security. The device can provide

multiple features to detect and prevent such attacks. This chapter mainly introduces these features.

ARP Detection

Introduction to ARP Detection

The ARP detection feature allows only the ARP packets of authorized clients to be forwarded, hence

preventing man-in-the-middle attacks.

Man-in-the-middle attack

According to the ARP design, after receiving an ARP reply, a host adds the IP-to-MAC mapping of the

sender to its ARP mapping table. This design reduces the ARP traffic on the network, but also makes

ARP spoofing possible.

As shown in

Figure 2-1

, Host A communicates with Host C through a switch. After intercepting the traffic

between Host A and Host C, a hacker (Host B) forwards forged ARP replies to Host A and Host C

respectively. Upon receiving the ARP replies, the two hosts update the MAC address corresponding to

the peer IP address in their ARP tables with the MAC address of Host B (MAC_B). After that, Host B

establishes independent connections with Host A and Host C and relays messages between them,

deceiving them into believing that they are talking directly to each other over a private connection, while

the entire conversation is actually controlled by Host B. Host B may intercept and modify the

communication data. Such an attack is called a man-in-the-middle attack.