- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-Portal commands
- 03-User profile commands
- 04-Password control commands
- 05-Keychain commands
- 06-Public key management commands
- 07-PKI commands
- 08-IPsec commands
- 09-Group domain VPN commands
- 10-SSH commands
- 11-SSL commands
- 12-SSL VPN commands
- 13-ASPF commands
- 14-APR commands
- 15-Session management commands
- 16-Connection limit commands
- 17-Object group commands
- 18-Object policy commands
- 19-Attack detection and prevention commands
- 20-ARP attack protection commands
- 21-ND attack defense commands
- 22-uRPF commands
- 23-Crypto engine commands
- 24-FIPS commands
- 25-SMA commands
- Related Documents
-
Title | Size | Download |
---|---|---|
20-ARP attack protection commands | 81.31 KB |
Contents
ARP attack protection commands
Unresolvable IP attack protection commands
arp resolving-route probe-count
arp resolving-route probe-interval
display arp source-suppression
ARP packet rate limit commands
Source MAC-based ARP attack detection commands
ARP packet source MAC consistency check commands
ARP active acknowledgement commands
ARP scanning and fixed ARP commands
ARP attack protection commands
Unresolvable IP attack protection commands
arp resolving-route enable
Use arp resolving-route enable to enable ARP blackhole routing.
Use undo arp resolving-route enable to disable ARP blackhole routing.
Syntax
arp resolving-route enable
undo arp resolving-route enable
Default
ARP blackhole routing is enabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Configure this command on the gateways.
Examples
# Enable ARP blackhole routing.
<Sysname> system-view
[Sysname] arp resolving-route enable
Related commands
arp resolving-route probe-count
arp resolving-route probe-interval
arp resolving-route probe-count
Use arp resolving-route probe-count to set the number of ARP blackhole route probes for each unresolved IP address.
Use undo arp resolving-route probe-count to restore the default.
Syntax
arp resolving-route probe-count count
undo arp resolving-route probe-count
Default
The device performs three ARP blackhole route probes for each unresolved IP address.
Views
System view
Predefined user roles
network-admin
Parameters
count: Sets the number of probes, in the range of 1 to 25.
Examples
# Configure the device to perform five ARP blackhole route probes for each unresolved IP address.
<Sysname> system-view
[Sysname] arp resolving-route probe-count 3
Related commands
arp resolving-route enable
arp resolving-route probe-interval
arp resolving-route probe-interval
Use arp resolving-route probe-interval to set the interval at which the device probes ARP blackhole routes.
Use undo arp resolving-route probe-interval to restore the default.
Syntax
arp resolving-route probe-interval interval
undo arp resolving-route probe-interval
Default
The device probes ARP blackhole routes every 1 second.
Views
System view
Predefined user roles
network-admin
Parameters
interval: Specifies the probe interval in the range of 1 to 5 seconds.
Examples
# Configure the device to probe ARP blackhole routes every 3 seconds.
<Sysname> system-view
[Sysname] arp resolving-route probe-interval 3
Related commands
arp resolving-route enable
arp resolving-route probe-count
arp source-suppression enable
Use arp source-suppression enable to enable the ARP source suppression feature.
Use undo arp source-suppression enable to disable the ARP source suppression feature.
Syntax
arp source-suppression enable
undo arp source-suppression enable
Default
The ARP source suppression feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Configure this feature on the gateways.
Examples
# Enable the ARP source suppression feature.
<Sysname> system-view
[Sysname] arp source-suppression enable
Related commands
display arp source-suppression
arp source-suppression limit
Use arp source-suppression limit to set the maximum number of unresolvable packets that can be processed per source IP address within 5 seconds.
Use undo arp source-suppression limit to restore the default.
Syntax
arp source-suppression limit limit-value
undo arp source-suppression limit
Default
The device can process a maximum of 10 unresolvable packets per source IP address within 5 seconds.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
limit-value: Specifies the limit in the range of 2 to 1024.
Usage guidelines
If unresolvable packets received from an IP address within 5 seconds exceed the limit, the device stops processing the packets from that IP address until the 5 seconds elapse.
Examples
# Configure the device to process a maximum of 100 unresolvable packets per source IP address within 5 seconds.
<Sysname> system-view
[Sysname] arp source-suppression limit 100
Related commands
display arp source-suppression
display arp source-suppression
Use display arp source-suppression to display information about the current ARP source suppression configuration.
Syntax
display arp source-suppression
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Examples
# Display information about the current ARP source suppression configuration.
<Sysname> display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 100
Table 1 Command output
Field |
Description |
Current suppression limit |
Maximum number of unresolvable packets that can be processed per source IP address within 5 seconds. |
ARP packet rate limit commands
arp rate-limit
Use arp rate-limit to enable the ARP packet rate limit feature on an interface.
Use undo arp rate-limit to disable the ARP packet rate limit feature on an interface.
Syntax
arp rate-limit [ pps ]
undo arp rate-limit
Default
The ARP packet rate limit feature is enabled on an interface. The rate limit is 2000 pps.
Views
Layer 2 Ethernet interface view
Layer 2 aggregate interface view
Predefined user roles
network-admin
mdc-admin
Parameters
pps: Specifies the upper limit for ARP packet rate in pps. The value range for this argument is 5 to 8192.
Usage guidelines
If you do not specify a value for the pps argument in the arp rate-limit command, the default rate limit value applies. Packets that exceed the rate limit are discarded.
Examples
# Set the maximum ARP packet rate to 50 pps on GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] arp rate-limit 50
arp rate-limit log enable
Use arp rate-limit log enable to enable logging for ARP packet rate limit.
Use undo arp rate-limit log enable to disable logging for ARP packet rate limit.
Syntax
arp rate-limit log enable
undo arp rate-limit log enable
Default
Logging for ARP packet rate limit is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
When logging for ARP packet rate limit is enabled, the device sends the highest threshold-crossed ARP packet rate within the sending interval in a log message to the information center. You can configure the information center module to set the log output rules. For more information about information center, see Network Management and Monitoring Configuration Guide.
Examples
# Enable logging for ARP packet rate limit.
<Sysname> system-view
[Sysname] arp rate-limit log enable
arp rate-limit log interval
Use arp rate-limit log interval to set the notification and log message sending interval for ARP packet rate limit.
Use undo arp rate-limit log interval to restore the default.
Syntax
arp rate-limit log interval interval
undo arp rate-limit log interval
Default
The device sends notifications or log messages every 60 seconds when the rate of ARP packets received on an interface exceeds the limit.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
interval: Specifies an interval in the range of 1 to 86400 seconds.
Usage guidelines
The interval applies to both notification sending and log message sending.
To change the default interval and activate it, you must enable ARP packet rate limit and enable sending notifications or log messages for ARP packet rate limit.
Examples
# Set the device to send notifications and log messages every 120 seconds when the rate of ARP packets received on an interface exceeds the limit.
<Sysname> system-view
[Sysname] arp rate-limit log interval 120
Related commands
arp rate-limit
arp rate-limit log enable
snmp-agent trap enable arp
snmp-agent trap enable arp
Use snmp-agent trap enable arp to enable SNMP notifications for ARP.
Use undo snmp-agent trap enable arp to disable SNMP notifications for ARP.
Syntax
snmp-agent trap enable arp [ rate-limit ]
undo snmp-agent trap enable arp [ rate-limit ]
Default
SNMP notifications for ARP is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
rate-limit: Specifies the ARP packet rate limit feature.
Usage guidelines
After you enable SNMP notifications for ARP, the device generates a notification that includes the highest threshold-crossed ARP packet rate within the sending interval.
For ARP event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see the network management and monitoring configuration guide for the device.
Examples
# Enable SNMP notifications for ARP packet rate limit.
<Sysname> system-view
[Sysname] snmp-agent trap enable arp rate-limit
Source MAC-based ARP attack detection commands
arp source-mac
Use arp source-mac to enable the source MAC-based ARP attack detection feature and specify a handling method.
Use undo arp source-mac to disable the source MAC-based ARP attack detection feature.
Syntax
arp source-mac { filter | monitor }
undo arp source-mac [ filter | monitor ]
Default
The source MAC-based ARP attack detection feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
filter: Generates log messages and discards subsequent ARP packets from the MAC address.
monitor: Only generates log messages.
Usage guidelines
Configure this feature on the gateways.
This feature checks the number of ARP packets delivered to the CPU. If the number of ARP packets from the same MAC address within 5 seconds exceeds a threshold, the device takes the preconfigured method to handle the attack.
If you do not specify both the filter and monitor keywords in the undo arp source-mac command, the command disables this feature.
Examples
# Enable the source MAC-based ARP attack detection feature and specify the filter handling method.
<Sysname> system-view
[Sysname] arp source-mac filter
arp source-mac aging-time
Use arp source-mac aging-time to set the aging time for ARP attack entries.
Use undo arp source-mac aging-time to restore the default.
Syntax
arp source-mac aging-time time
undo arp source-mac aging-time
Default
The aging time for ARP attack entries is 300 seconds.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
time: Sets the aging time for ARP attack entries, in the range of 60 to 6000 seconds.
Examples
# Set the aging time for ARP attack entries to 60 seconds.
<Sysname> system-view
[Sysname] arp source-mac aging-time 60
arp source-mac exclude-mac
Use arp source-mac exclude-mac to exclude specific MAC addresses from source MAC-based ARP attack detection.
Use undo arp source-mac exclude-mac to remove the excluded MAC addresses from source MAC-based ARP attack detection.
Syntax
arp source-mac exclude-mac mac-address&<1-10>
undo arp source-mac exclude-mac [ mac-address&<1-10> ]
Default
No MAC addresses are excluded from source MAC-based ARP attack detection.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
mac-address&<1-10>: Specifies a MAC address list. The mac-address argument indicates an excluded MAC address in the format of H-H-H. &<1-10> indicates that you can configure a maximum of 10 excluded MAC addresses.
Usage guidelines
If you do not specify a MAC address, the undo arp source-mac exclude-mac command removes all excluded MAC addresses.
Examples
# Exclude a MAC address from source MAC-based ARP attack detection.
<Sysname> system-view
[Sysname] arp source-mac exclude-mac 2-2-2
arp source-mac threshold
Use arp source-mac threshold to set the threshold for source MAC-based ARP attack detection. If the number of ARP packets sent from a MAC address within 5 seconds exceeds this threshold, the device recognizes this as an attack.
Use undo arp source-mac threshold to restore the default.
Syntax
arp source-mac threshold threshold-value
undo arp source-mac threshold
Default
The threshold for source MAC-based ARP attack detection is 30.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
threshold-value: Specifies the threshold for source MAC-based ARP attack detection. The value range for this argument is 1 to 5000.
Examples
# Set the threshold for source MAC-based ARP attack detection to 30.
<Sysname> system-view
[Sysname] arp source-mac threshold 30
display arp source-mac
Use display arp source-mac to display ARP attack entries detected by source MAC-based ARP attack detection.
Syntax
In standalone mode:
display arp source-mac { slot slot-number | interface interface-type interface-number }
In IRF mode:
display arp source-mac { chassis chassis-number slot slot-number | interface interface-type interface-number }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
interface interface-type interface-number: Specifies an interface by its type and number.
slot slot-number: Specifies the slot number of the device, which is fixed at 0. Alternatively, you can execute the command without specifying this option. The command execution results are the same. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the device, which is fixed at 0. If you do not specify an IRF member device, this command displays ARP attack entries for the master device. (In IRF mode.)
Examples
# Display the ARP attack entries detected by source MAC-based ARP attack detection.
<Sysname> display arp source-mac slot 0
Source-MAC VLAN ID Interface Aging-time
23f3-1122-3344 4094 GE1/1/1 10
23f3-1122-3355 4094 GE1/1/2 30
23f3-1122-33ff 4094 GE1/1/3 25
23f3-1122-33ad 4094 GE1/1/4 30
23f3-1122-33ce 4094 GE1/1/5 2
ARP packet source MAC consistency check commands
arp valid-check enable
Use arp valid-check enable to enable ARP packet source MAC address consistency check.
Use undo arp valid-check enable to disable ARP packet source MAC address consistency check.
Syntax
arp valid-check enable
undo arp valid-check enable
Default
ARP packet source MAC address consistency check is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
Configure this feature on gateways. The gateways can filter out ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body.
Examples
# Enable ARP packet source MAC address consistency check.
<Sysname> system-view
[Sysname] arp valid-check enable
ARP active acknowledgement commands
arp active-ack enable
Use arp active-ack enable to enable the ARP active acknowledgement feature.
Use undo arp active-ack enable to disable the ARP active acknowledgement feature.
Syntax
arp active-ack [ strict ] enable
undo arp active-ack [ strict ] enable
Default
The ARP active acknowledgement feature is disabled.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
strict: Enables strict mode for ARP active acknowledgement.
Usage guidelines
Configure this feature on gateways to prevent user spoofing.
In strict mode, a gateway learns an entry only when ARP active acknowledgement is successful based on the correct ARP resolution.
Examples
# Enable the ARP active acknowledgement feature.
<Sysname> system-view
[Sysname] arp active-ack enable
Authorized ARP commands
arp authorized enable
Use arp authorized enable to enable authorized ARP on an interface.
Use undo arp authorized enable to disable authorized ARP on an interface.
Syntax
arp authorized enable
undo arp authorized enable
Default
Authorized ARP is disabled on the interface.
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Examples
# Enable authorized ARP on GigabitEthernet 1/1/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] arp authorized enable
ARP scanning and fixed ARP commands
arp fixup
Use arp fixup to convert existing dynamic ARP entries to static ARP entries.
Syntax
arp fixup
Views
System view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The ARP conversion is a one-time operation. You can use this command again to convert the dynamic ARP entries learned later to static.
The static ARP entries converted from dynamic ARP entries have the same attributes as the manually configured static ARP entries. Due to the device's limit on the total number of static ARP entries, some dynamic ARP entries might fail the conversion.
The static ARP entries after conversion can include the following entries:
· Existing dynamic and static ARP entries before conversion.
· New dynamic ARP entries learned during the conversion.
Dynamic ARP entries that are aged out during the conversion are not converted to static ARP entries.
To delete a static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.
Examples
# Enable fixed ARP.
<Sysname> system-view
[Sysname] arp fixup
arp scan
Use arp scan to trigger an ARP scanning in an address range.
Syntax
arp scan [ start-ip-address to end-ip-address ]
Views
Layer 3 Ethernet interface/subinterface view
Layer 3 aggregate interface/subinterface view
VLAN interface view
Predefined user roles
network-admin
mdc-admin
Parameters
start-ip-address: Specifies the start IP address of the scanning range.
end-ip-address: Specifies the end IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.
Usage guidelines
ARP scanning automatically creates ARP entries for devices in the specified address range. IP addresses already in existing ARP entries are not scanned.
If the interface's primary and secondary IP addresses are in the address range, the sender IP address in the ARP request is the address on the smallest network segment.
If no address range is specified, the device learns ARP entries for devices on the subnet where the primary IP address of the interface resides. The sender IP address in the ARP requests is the primary IP address of the interface.
The start and end IP addresses must be on the same subnet as the primary IP address or secondary IP addresses of the interface.
ARP scanning will take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.
Examples
# Configure the device to scan neighbors on the network where the primary IP address of GigabitEthernet 1/1/1 resides.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] arp scan
# Configure the device to scan neighbors in an address range.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/1/1
[Sysname-GigabitEthernet1/1/1] arp scan 1.1.1.1 to 1.1.1.20