- Table of Contents
-
- 10-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Packet-Filter Firewall Commands
- 10-ALG Commands
- 11-Session Management Commands
- 12-TCP and ICMP Attack Protection Commands
- 13-IP Source Guard Commands
- 14-ARP Attack Protection Commands
- 15-URPF Commands
- 16-COPS Commands
- 17-FIPS Commands
- 18-PKI Commands
- Related Documents
-
Title | Size | Download |
---|---|---|
14-ARP Attack Protection Commands | 90.56 KB |
Contents
ARP attack protection configuration commands
ARP defense against IP packet attacks configuration commands
display arp source-suppression
Source MAC address based ARP attack detection configuration commands
arp anti-attack source-mac aging-time
arp anti-attack source-mac exclude-mac
arp anti-attack source-mac threshold
display arp anti-attack source-mac
ARP active acknowledgement configuration commands
arp anti-attack active-ack enable
Authorized ARP configuration commands
ARP defense against IP packet attacks configuration commands
arp resolving-route enable
Syntax
arp resolving-route enable
undo arp resolving-route enable
View
System view
Default level
2: System level
Parameters
None
Description
Use the arp resolving-route enable command to enable ARP black hole routing.
Use the undo arp resolving-route enable command to disable the function.
By default, ARP black hole routing is enabled.
Examples
# Enable ARP black hole routing.
<Sysname> system-view
[Sysname] arp resolving-route enable
arp source-suppression enable
Syntax
arp source-suppression enable
undo arp source-suppression enable
View
System view
Default level
2: System level
Parameters
None
Description
Use the arp source-suppression enable command to enable the ARP source suppression function.
Use the undo arp source-suppression enable command to disable the function.
By default, the ARP source suppression function is disabled.
Related commands: display arp source-suppression.
Examples
# Enable the ARP source suppression function.
<Sysname> system-view
[Sysname] arp source-suppression enable
arp source-suppression limit
Syntax
arp source-suppression limit limit-value
undo arp source-suppression limit
View
System view
Default level
2: System level
Parameters
limit-value: Specifies the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the router can receive in five seconds. It ranges from 2 to 1024.
Description
Use the arp source-suppression limit command to set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the router can receive in five seconds.
Use the undo arp source-suppression limit command to restore the default value, which is 10.
With this feature configured, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds the specified threshold, the router suppress the sending host from triggering any ARP requests within the following five seconds.
Related commands: display arp source-suppression.
Examples
# Set the maximum number of packets with the same source address but unresolvable destination IP addresses that the router can receive in five seconds to 100.
<Sysname> system-view
[Sysname] arp source-suppression limit 100
display arp source-suppression
Syntax
display arp source-suppression [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
2: System level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display arp source-suppression command to display information about the current ARP source suppression configuration.
Examples
# Display information about the current ARP source suppression configuration.
<Sysname> display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 100
Current cache length: 16
Table 1 Output description
Field |
Description |
ARP source suppression is enabled |
The ARP source suppression function is enabled |
Current suppression limit |
Maximum number of packets with the same source IP address but unresolvable IP addresses that the router can receive in five seconds |
Current cache length |
Size of cache used to record source suppression information |
Source MAC address based ARP attack detection configuration commands
arp anti-attack source-mac
Syntax
arp anti-attack source-mac { filter | monitor }
undo arp anti-attack source-mac [ filter | monitor ]
View
System view
Default level
2: System level
Parameters
filter: Specifies the filter mode.
monitor: Specifies the monitor mode.
Description
Use the arp anti-attack source-mac command to enable source MAC address based ARP attack detection and specify the detection mode.
Use the undo arp anti-attack source-mac command to restore the default.
By default, source MAC address based ARP attack detection is disabled.
After you enable this feature, the router checks the source MAC address of ARP packets received from the VLAN. If the number of ARP packets received from a source MAC address within five seconds exceeds the specified threshold:
· In filter detection mode, the router displays a log message and filters out the ARP packets from the MAC address.
· In monitor detection mode, the router only displays a log message.
Note that if no detection mode is specified in the undo arp anti-attack source-mac command, both detection modes are disabled.
Examples
# Enable filter-mode source MAC address based ARP attack detection
<Sysname> system-view
[Sysname] arp anti-attack source-mac filter
arp anti-attack source-mac aging-time
Syntax
arp anti-attack source-mac aging-time time
undo arp anti-attack source-mac aging-time
View
System view
Default level
2: System level
Parameters
time: Aging timer for protected MAC addresses, in the range of 60 to 6000 seconds.
Description
Use the arp anti-attack source-mac aging-time command to configure the aging timer for protected MAC addresses.
Use the undo arp anti-attack source-mac aging-time command to restore the default.
By default, the aging timer for protected MAC addresses is 300 seconds (five minutes).
Examples
# Configure the aging timer for protected MAC addresses as 60 seconds.
<Sysname> system-view
[Sysname] arp anti-attack source-mac aging-time 60
arp anti-attack source-mac exclude-mac
Syntax
arp anti-attack source-mac exclude-mac mac-address&<1-n>
undo arp anti-attack source-mac exclude-mac [ mac-address&<1-n> ]
View
System view
Default level
2: System level
Parameters
mac-address&<1-n>: MAC address list. The mac-address argument indicates a protected MAC address in the format H-H-H. The maximum value of n is 10. For example, &<1-10> indicates you can configure up to ten protected MAC addresses in one command line.
Description
Use the arp anti-attack source-mac exclude-mac command to configure protected MAC addresses which will be excluded from ARP packet detection.
Use the undo arp anti-attack source-mac exclude-mac command to remove the configured protected MAC addresses.
By default, no protected MAC address is configured.
Note that if no MAC address is specified in the undo arp anti-attack source-mac exclude-mac command, all the configured protected MAC addresses are removed.
Examples
# Configure a protected MAC address.
<Sysname> system-view
[Sysname] arp anti-attack source-mac exclude-mac 2-2-2
arp anti-attack source-mac threshold
Syntax
arp anti-attack source-mac threshold threshold-value
undo arp anti-attack source-mac threshold
View
System view
Default level
2: System level
Parameters
threshold-value: Threshold for source MAC address based ARP attack detection, in the range of 10 to 100. The default value is 50.
Description
Use the arp anti-attack source-mac threshold command to configure the threshold for source MAC address based ARP attack detection. If the number of ARP packets sent from a MAC address within five seconds exceeds this threshold, the router considers this an attack.
Use the undo arp anti-attack source-mac threshold command to restore the default.
Examples
# Configure the threshold for source MAC address based ARP attack detection as 30.
<Sysname> system-view
[Sysname] arp anti-attack source-mac threshold 30
display arp anti-attack source-mac
Syntax
display arp anti-attack source-mac { slot slot-number | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
interface interface-type interface-number: Displays attacking MAC addresses detected on the interface.
slot slot-number: Displays attacking MAC addresses detected on the interface card specified by the slot number.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display arp anti-attack source-mac command to display attacking MAC addresses detected by source MAC address based ARP attack detection.
Examples
# Display the attacking MAC addresses detected by source MAC address based ARP attack detection.
<Sysname> display arp anti-attack source-mac slot 2
Source-MAC VLAN ID Interface Aging-time
23f3-1122-3344 4094 GE3/1/1 10
23f3-1122-3355 4094 GE3/1/2 30
23f3-1122-33ff 4094 GE3/1/3 25
23f3-1122-33ad 4094 GE3/1/4 30
23f3-1122-33ce 4094 GE3/1/5 2
ARP active acknowledgement configuration commands
arp anti-attack active-ack enable
Syntax
arp anti-attack active-ack enable
undo arp anti-attack active-ack enable
View
System view
Default level
2: System level
Parameters
None
Description
Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement function.
Use the undo arp anti-attack active-ack enable command to restore the default.
By default, the ARP active acknowledgement function is disabled.
Typically, this feature is configured on gateway routers to identify invalid ARP packets.
Examples
# Enable the ARP active acknowledgement function.
<Sysname> system-view
[Sysname] arp anti-attack active-ack enable
Authorized ARP configuration commands
arp authorized enable
Syntax
arp authorized enable
undo arp authorized enable
View
Layer 3 Ethernet interface view
Default level
2: System level
Parameters
None
Description
Use the arp authorized enable command to enable authorized ARP on an interface.
Use the undo arp authorized enable command to restore the default.
By default, authorized ARP is not enabled on the interface.
Examples
# Enable authorized ARP on GigabitEthernet 3/1/1.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/1/1
[Sysname-GigabitEthernet3/1/1] arp authorized enable
arp authorized time-out
Syntax
arp authorized time-out seconds
undo arp authorized time-out
View
Layer 3 Ethernet interface view
Default level
2: System level
Parameters
seconds: Age timer for authorized ARP entries in seconds, in the range of 30 to 86400.
Description
Use the arp authorized time-out command to configure the age timer for authorized ARP entries.
Use the undo arp authorized time-out command to restore the default.
By default, the age timer for authorized ARP entries is 1200 seconds.
Examples
# Configure the age timer for authorized ARP entries.
<Sysname> system-view
[Sysname] interface GigabitEthernet 3/1/1
[Sysname-GigabitEthernet3/1/1] arp authorized enable