Use the arp check enable command to enable the ARP entry checking function, that is, to disable the switch from creating multicast MAC address ARP entries.

Use the undo arp check enable command to disable the ARP entry checking function. In this case, the switch can create multicast MAC address ARP entries.

By default, the ARP entry checking function is enabled.

Examples

# Enable the switch to create multicast MAC address ARP entries.

<H3C> system-view

[H3C] undo arp check enable

1.1.2 arp non-flooding

Syntax

arp non-flooding enable

undo arp non-flooding enable

View

Ethernet port view

Parameters

None

Description

Use the arp non-flooding enable command to configure the port not to broadcast received ARP packets in the VLAN to which it belongs.

Use the undo arp non-flooding command to disable this feature.

By default, the feature is disabled.

Examples

# Configure Ethernet 2/1/1 not to broadcast received ARP packets in the VLAN to which it belongs.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface ethernet2/1/1

[H3C-Ethernet2/1/1] arp non-flooding enable

# Disable the feature.

[H3C-Ethernet2/1/1] undo arp non-flooding

1.1.3 arp proxy enable

Syntax

arp proxy enable

undo arp proxy enable

View

VLAN view or VLAN interface view

Parameters

None

Description

Use the arp proxy enable command to enable proxy ARP.

Use the undo arp proxy enable command to disable proxy ARP.

I. In VLAN view:

By default, the proxy ARP function is disabled.

You can configure the command for sub-VLANs only. After you enable proxy ARP for a sub-VLAN, the sub-VLAN directly forwards received ARP requests to other proxy enabled sub-VLANs in the same super VLAN.

II. In VLAN interface view:

By default, proxy ARP is disabled.

After receiving an ARP request, the device directly sends back an ARP response if the following three requirements are satisfied:

l The source IP address of the ARP request and that of the receiving interface are on the same network segment.

l The target IP address of the ARP request is on another network segment.

l The route corresponding to the target IP address of the ARP request exists, and the outgoing interface of the route is not the receiving interface of the ARP request.

Related commands: display arp proxy.

Examples

# Enable proxy ARP for sub-VLAN 2 and sub-VLAN 3 in super-VLAN 1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] vlan 2

[H3C-vlan2] arp proxy enable

[H3C-vlan2] vlan 3

[H3C-vlan3] arp proxy enable

# Enable proxy ARP on VLAN-interface 1.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface vlan 1

[H3C-Vlan-interface1] arp proxy enable

1.1.4 arp local-proxy enable

Syntax

arp local-proxy enable

undo arp local-proxy enable

View

VLAN interface view

Parameters

None

Description

Use the arp local-proxy enable command to enable local proxy ARP.

Use the undo arp local-proxy enable command to disable local proxy ARP.

After enabled with local proxy ARP, when receiving an ARP request, the device sends back an ARP response directly if the sender and target IP addresses of the ARP request are on the same network segment as the receiving interface.

Related commands: display arp proxy.

Examples

# Enable local proxy ARP on VLAN-interface 2.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] interface vlan 2

[H3C-Vlan-interface2] arp local-proxy enable

1.1.5 arp static

Syntax

arp static ip-address [ mac-address [ vlan-id { interface-type interface-number } ] [ vpn-instance vpn-instance-name ]

undo arp ip-address

View

System view

Parameters

ip-address: IP address of the ARP entry.

mac-address: MAC address of the ARP entry, in the format H-H-H ( H indicates a hexadecimal number).

vlan-id: VLAN to which the static ARP entry belongs, in the range of 1 to 4094.

interface-type interface-number: Type and number of the port to which the static ARP entry belongs. For information about these two arguments, refer to the description on the interface command in Ethernet Port Command Manual.

vpn-instance vpn-instance-name: VPN instance name in MPLS VPN.

Description

Use the arp static command to configure a static ARP entry in the ARP table.

Use the undo arp static command to delete a static ARP entry from the ARP table.

By default, the ARP table is empty and the switch can obtain ARP entries through dynamic ARP.

The arp static command can be used to configure auto-fill of ARP entries. When configuring an ARP entry, if you input only the IP address, the switch will automatically set the MAC address to 0. Such an ARP entry is an auto-fill ARP entry. When an auto-fill ARP entry is resolved, the switch can automatically fill the learned MAC address into the entry.

Note that:

l When the switch works normally, its static ARP entries remain valid unless you perform operations that invalidate ARP entries, such as changing or removing VLAN interfaces, removing a VLAN, or removing a port from a VLAN. These operations will cause the corresponding ARP mapping entries to be automatically removed.

l The vlan-id argument must be the ID of an existing VLAN, and the Ethernet port specified behind this argument must belong to the VLAN.

l The vpn-instance-name argument must be the VPN-instance name of an existing MPLS VPN.

l The port specified in an ARP entry can only be a manually aggregated port, instead of a statically or dynamically aggregated port.

l If the mac-address of an ARP entry is a multicast MAC address, the system will take this ARP entry as a multicast ARP entry.

l Automatic fill-in of MAC addresses is enabled only after IP address protection is enabled on the interface.

l Once a MAC address is filled in, an auto-fill ARP entry becomes a common static ARP entry and cannot be filled in again.

Related commands: reset arp, display arp, debugging arp.

Examples

# Configure an ARP entry with the MAC address 000f-e201-0000 and IP address 202.38.10.2. This static ARP entry is on Ethernet 2/1/1 in VLAN 1.

[H3C] arp static 202.38.0.10 000f-e201-0000 1 ethernet2/1/1

1.1.6 arp static multi-port

Syntax

arp static ip-address mac-address vlan-id multi-port interface-type interface-number [ vpn-instance vpn-instance-name ] ]

undo arp ip-address multi-port interface-type interface-number [ vpn-instance vpn-instance-name ]

View

System view

Parameters

ip-address: IP address of the ARP entry.

mac-address: MAC address of the ARP entry, in the format of H-H-H. For a multi-outgoing-port ARP entry, this is a multicast MAC address.

vlan-id: ID of the VLAN of the static ARP entry, in the range of 1 to 4094.

interface-type interface-number: Type and number of a port. For information about these two arguments, refer to the interface command in Ethernet Port Command Manual.

vpn-instance-name: Instance name of the VPN which the IP address belongs to.

Description

Use the arp static multi-port command to add a port for a static multicast ARP entry. If the entry does not exist, the command generates the ARP entry.

Use the undo arp multi-port command to remove a port from the multicast ARP entry. When you remove the last port, the system removes the multicast ARP entry.

The multicast ARP feature allows you to associate a common unicast route to a Layer 2 multicast group by creating a static multicast ARP entry. In this way, a packet matching the entry can be forwarded out multiple ports. In brief, a multicast ARP entry is a static ARP entry with a multicast MAC address and corresponds to multiple ports.

You can use the multi-port keyword to add a port for a multicast ARP entry. Only one port can be added every time the command is executed. If the same port exists, the switch will not add the port.

Note that:

l Up to 64 multicast ARP entries are supported, with each entry having up to 100 outgoing ports. A manual port aggregation group is considered a single port.

l An outgoing port of a multicast ARP entry can be a manually aggregated port or a common port, but cannot be a statically or dynamically aggregated port.

l As specified in the IEEE 802.3ad standard, if a port is disabled but the dynamic port aggregation function is enabled, the port is not an aggregated port, but a common one. Therefore, the port can be configured as a port for a multicast ARP entry. After the port is enabled, the port becomes a dynamically aggregated port and will be removed from the multicast ARP entry.

l If a port with a number smaller than those in an aggregation group (for example, the port is on an interface card with a smaller slot number) is added into the group, the ports in this aggregation group will be removed from multicast ARP; while other ports will not be affected.

l For an aggregation of ports on different interface cards, if removing an interface card with a smaller slot number can cause primary port switchover, doing so will remove the ports of this aggregation group from multicast ARP; while other ports will not be affected.

l If an aggregation group is removed, ports in this group are removed from multicast ARP; while other ports are not affected.

l No matter the state of the primary port in an aggregation is up or down, ports in the aggregation group will not be removed from multicast ARP.

You can add multiple ports one by one for a static multicast ARP entry. To view the configuration, use the display arp multi-port command.

Related commands: reset arp, display arp, debugging arp, arp static.

Examples

# In a multicast ARP entry, the IP address is 10.10.10.98, and the MAC address is 0150-0098-0098. Add the outgoing ports Ethernet 6/1/1, Ethernet 6/1/2 and Ethernet 11/1/3 to the ARP entry.

[H3C] arp static 10.10.10.98 0150-0098-0098 20 multi-port Ethernet 6/1/1

[H3C] arp static 10.10.10.98 0150-0098-0098 20 multi-port Ethernet 6/1/2

[H3C] arp static 10.10.10.98 0150-0098-0098 20 multi-port Ethernet 11/1/3

1.1.7 arp timer aging

Syntax

arp timer aging aging-time

undo arp timer aging

View

System view

Parameters

aging-time: Aging time for dynamic ARP entries, which is in the range of 1 to 1440 minutes. By default, the aging time is 20 minutes.

Description

Use the arp timer aging command to configure an age for dynamic ARP entries.

Use the undo arp timer aging command to restore the default.

Related commands: display arp timer aging.

Examples

# Configure the age for dynamic ARP entries as 10 minutes.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] arp timer aging 10

1.1.8 debugging arp

Syntax

debugging arp { error | info | packet }

undo debugging arp { error | info | packet }

View

User view

Parameters

error: Enables ARP error debugging.

info: Enables ARP entry and information debugging.

packet: Enables ARP packet debugging.

entry-check: Enables ARP entry check debugging.

Description

Use the debugging arp command to enable specified ARP debugging.

Use the undo debugging arp command to disable specified ARP debugging.

By default, no ARP debugging is enabled.

Related commands: arp static, display arp.

Examples

# Enable ARP packet debugging.

<H3C> debugging arp packet

*0.771346-ARP-8-S1-arp_send:Send an ARP Packet, operation : 1, sender_eth_addr : 000f-e200-3500,sender_ip_addr : 10.110.91.159, target_eth_addr : 0000-0000-0000, target_ip_addr : 10.110.91.193

*0.771584-ARP-8-S1-arp_rcv:Receive an ARP Packet, operation : 2, sender_eth_addr : 0050-ba22-6fd7, sender_ip_addr : 10.110.91.193, target_eth_addr : 000f-e200-3500, target_ip_addr : 10.110.91.159

Table 1-1 Description on the fields of the debugging arp command

Field	Description
Operation	Type of ARP packets: 1 ARP request; 2 ARP reply
sender_eth_addr	MAC address of the sender
sender_ip_addr	IP address of the sender
target_eth_addr	Target MAC address. If the packet is an ARP request, the target MAC address is 0.
target_ip_addr	Target IP address

1.1.9 debugging arp packet

Syntax

debugging arp packet [ sip sip-address | dip dip-address | smac smac-address | dmac dmac-address ] *

undo debugging arp packet

View

User view

Parameters

sip-address: Source IP address to be permitted, in dotted decimal format. If it is set to all zeros, all source IP addresses are permitted.

dip-address: Destination IP address to be permitted, in dotted decimal format. If it is set to all zeros, all destination IP addresses are permitted.

smac-address: Source MAC address to be permitted in hexadecimal format. If it is set to all zeros, all source MAC addresses are permitted.

dmac-address: Destination MAC address to be permitted in hexadecimal format. If it is set to all zeros, all destination MAC addresses are permitted.

Description

Use the debugging arp packet command to enable the debugging for the permitted ARP packets.

Use the undo debugging arp packet command to disable the debugging.

Examples

# Enable the debugging for ARP packets whose source IP address is 8.8.8.1, destination address is 8.8.8.26 and source MAC address is 000a-ebf2-51a8.

<H3C> debugging arp packet dip 8.8.8.26 sip 8.8.8.1 smac 000a-ebf2-51a8 dmac 0-0-0

# Disable the debugging.

<H3C> undo debugging arp packet

1.1.10 display arp

Syntax

display arp [ ip-address | [ dynamic | static | vlan vlan-id | interface interface-type interface-number ] [ | { begin | include | exclude } text ] ]

View

Any view

Parameters

dynamic: Displays the dynamic ARP entries in the ARP table.

static: Displays the static ARP entries in the ARP table.

ip-address: Displays the ARP entry for an IP address.

begin: Displays from the first ARP entry that contains the specified character string “text”.

include: Displays only the ARP entries that contain the specified character string.

exclude: Displays only the ARP entries that do not contain the specified character string.

text: Character string.

vlan: Displays the ARP entries of a VLAN.

vlan-id: VLAN ID.

interface: Displays the ARP entries related to a port.

interface-type: Port type.

interface-number: Port number.

Description

Use the display arp command to display specified ARP entries.

Related commands: arp static, reset arp, debugging arp.

Examples

# Display the ARP entries matching the specified regular expression.

<H3C> display arp | include 2.2.1

Type: S-Static D-Dynamic

IP Address MAC Address VLAN ID Port Name Aging Type

2.2.2.231 0001-0001-0001 N/A N/A N/A S

2.2.1.2 0002-0002-0002 N/A N/A N/A S

-- 2 entries found ---

& Note:

The character “.” in a regular expression is a wildcard. So, as for “2.2.2.231”, “2.2.1” matches its sub-string “2.231” and thus the ARP entry with an IP address of 2.2.2.231 is displayed as a matched entry.

Table 1-2 Description on the fields of the display arp command

Field	Description
IP Address	IP address of an ARP entry
MAC Address	MAC address of an ARP entry
VLAN ID	ID of the VLAN to which the static ARP entry belongs
Port Name	Name of the port to which the static ARP entry belongs
Aging	Aging time of dynamic ARP entries in minutes
Type	Type of ARP entry

1.1.11 display arp multi-port

Syntax

display arp multi-port [ ip-address ]

View

Any view

Parameters

ip-address: IP address of a multicast ARP entry.

Description

Use the display arp multi-port command to display configuration information about a multicast ARP entry. A multicast ARP entry corresponds to multiple outgoing ports; it is used to send one packet out multiple ports simultaneously.

Related commands: arp static.

Examples

# Display configuration information about the multicast ARP entry with the IP address 10.10.10.98.

<H3C> display arp multi-port 10.10.10.98

IP Address :10.10.10.98

Mac Address :0150-0098-0098

VLAN ID :20

ARP Port-List :

Ethernet6/1/2 Ethernet6/1/3

Ethernet6/1/4 *Ethernet6/1/5

Ethernet6/1/6 Ethernet6/1/7

Ethernet6/1/8 Ethernet6/1/9

Ethernet6/1/1

VPN-Name :Public-ARP

When a “*” precedes a port, the port is in the Up state; otherwise, the port is in the Down state.

1.1.12 display arp proxy

Syntax

display arp proxy [ vlan vlan-id ]

View

Any view

Parameters

vlan-id: VLAN ID.

Description

Use the display arp proxy command to display the state of proxy ARP (including that of local proxy ARP) of a specified VLAN, enabled or disabled.

Related commands: arp proxy enable, arp local-arp enable.

Examples

# Display the proxy ARP state of VLAN 3.

<H3C> display arp proxy vlan 3

vlan 3

Proxy ARP status: disabled

Local proxy ARP status: disabled

1.1.13 display arp timer aging

Syntax

display arp timer aging

View

Any view

Parameters

None

Description

Use the display arp timer aging command to view the current setting of the dynamic ARP aging timer.

Related commands: arp timer aging.

Examples

# Display the current setting of the ARP aging timer.

<H3C> display arp timer aging

Current ARP aging time is 10 minute(s)

You can see that the ARP aging time is 10 minutes.

1.1.14 display debugging arp

Syntax

display debugging arp

View

Any view

Parameters

None

Description

Use the display debugging arp command to display the ARP packet debugging information.

Examples

# Display the ARP packet debugging information.

<H3C> display debugging arp

ARP packet debugging switch is on, Source IP Address is 8.8.8.1, Destination IP Address is 8.8.8.26, Source MAC Address is 000a-ebf2-51a8

Table 1-3 Description on the fields of the display debugging arp command

Field	Description
ARP packet debugging switch	State of ARP packet debugging
Source IP Address	Source IP address permitted
Destination IP Address	Destination IP address permitted
Source MAC Address	Source MAC address permitted

1.1.15 gratuitous-arp-learning enable

Syntax

gratuitous-arp-learning enable

undo gratuitous-arp-learning enable

View

System view

Parameters

None

Description

Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function.

Use the undo gratuitous-arp-learning enable command to disable the gratuitous ARP packet learning function.

By default, the gratuitous ARP packet learning function is enabled.

By sending a gratuitous ARP packet, a network device can:

l Check whether its IP address conflicts with that of any other device;

l Trigger other network devices to update its hardware address stored in their caches.

Examples

# Enable the gratuitous ARP packet learning function on the switch.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] gratuitous-arp-learning enable

1.1.16 reset arp

Syntax

reset arp [ dynamic | static | interface { interface-type interface-number } | all ]

View

User view

Parameters

dynamic: Clears the dynamic ARP mapping entries.

static: Clears the static ARP mapping entries

interface-type interface-number: Type and number of a port. For information about these two arguments, refer to the description of the interface command in the Ethernet Port Command Manual.

all: Clears all the ARP entries.

Description

Use the reset arp command to clear specified ARP entries.

Related commands: arp static, display arp.

Examples

# Reset the static ARP entries.

<H3C> reset arp static

Chapter 2 ARP Table Size Configuration Commands

2.1 ARP Table Size Configuration Commands

2.1.1 arp max-entry

Syntax

arp max-entry slot-num max-num

undo arp max-entry slot-num

View

System view

Parameters

slot-num: Number of the slot where the line processing unit (LPU) is located.

max-num: Maximum number of ARP entries that can be supported by the specified LPU. This argument counts in K (1K = 1024) and ranges from 4K to 8K.

Description

Use the arp max-entry command to configure the maximum number of ARP entries that can be supported by a specified LPU in the system.

Use the undo arp max-entry command to remove the configuration.

By default, each LPU supports up to 4K ARP entries.

If the system does not contain LPUs with their model names being suffixed with B, DA, DB or DC, you can configure the maximum number of ARP entries as 4K, 5K, 6K, 7K or 8K for the LPU. Otherwise, you can only configure the maximum number as 4K for the LPU.

Examples

# Configure the maximum number of ARP entries that can be supported by the interface card in slot 12 as 8K (assuming that the system does not contain LPUs with their model name being suffixed with B, DA, DB or DC).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]arp max-entry 12 8

The configuration won't be enabled until the system is rebooted.

2.1.2 arp max-aggregation-entry

Syntax

arp max-aggregation-entry max-aggnum

undo arp max-aggregation-entry

View

System view

Parameters

max-aggnum: Maximum number of ARP entries with aggregated ports (that is, aggregation ARP entries) supported by each LPU. This argument counts in K (1K = 1024).

Description

Use the arp max-aggregation-entry command to configure the maximum number of aggregation ARP entries that can be supported by each LPU of the switch.

Use the undo arp max-aggregation-entry command to restore the default maximum number of aggregation ARP entries supported by each LPU.

If the system does not contain LPUs whose model name are suffixed with B, DA, DB or DC, you can configure the maximum number of aggregation ARP entries as 0K, 1K, 3K, 7K or 8K. Otherwise, you can only configure the maximum number as 0K, 1K or 3K.

By default, each LPU supports up to 1K aggregation ARP entries.

Examples

# Configure the maximum number of aggregation ARP entries that can be supported by each LPU of the switch as 8K (assuming that the system does not contain LPUs whose model names are suffixed with B, DA, DB or DC).

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C]arp max-aggregation-entry 8

The configuration won't be enabled until the system is rebooted.

2.1.3 arp enable size

Syntax

arp enable size { 4 | 64 }

undo arp enable size

View

System view

Parameters

4: Configures the maximum number of ARP entries of the whole switch as 4K (1K = 1024).

64: Configure the maximum number of ARP entries of the whole switch as 64K.

Description

Use the arp enable size command to configure the maximum number of ARP entries that can be supported by the switch.

Use the undo arp enable size command to restore the default.

By default, the switch supports up to 4K ARP entries, each LPU supports up to 4K ARP entries, and each LPU supports up to 1K aggregation ARP entries.

Examples

# Configure the maximum number of ARP entries for the switch as 64K.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] arp enable size 64

The configuration won't be enabled until the system is rebooted.

Caution:

l You must restart the system for each of the three configurations to take effect.

l Do not remove an LPU or change the place of an LPU from one slot to another before restarting the system. Otherwise, the configurations may fail to take effect.

l After the configurations, do not perform active/standby switchover before restarting the system. Otherwise, the configurations will not take effect even if you restart the system.

2.1.4 display arp max-entry

Syntax

display arp max-entry

View

Any view

Parameters

None

Description

Use the display arp max-entry command to display the maximum numbers of current ARP entries and entries that will take effect after the switch restarts.

Examples

# Display the maximum numbers of current ARP entries and entries that will take effect after the switch restarts.

<H3C> display arp max-entry

The current max arp entry config information:

max arp entry config(Main Board): 65536

max link-aggregation arp entry config: 0

max arp entry config of slot 0: 8192

……………

max arp entry config of slot 13: 8192

The next max arp entry config information:

max arp entry config(Main Board): 65536

max link-aggregation arp entry config: 8192

max arp entry config of slot 0: 8192

………….

max arp entry config of slot 13: 8192

Chapter 3 ARP Attack Prevention Configuration Commands

3.1 ARP Spoofing Attack Prevention Configuration Commands

3.1.1 arp entry-check

Syntax

arp entry-check { fixed-mac | fixed-all | send-ack }

undo arp entry-check

View

System view

Parameters

fixed-mac: Specifies the ARP spoofing attack prevention mode as fixed-mac.

fixed-all: Specifies the ARP spoofing attack prevention mode as fixed-all.

send-ack: Specifies the ARP spoofing attack prevention mode as send-ack.

Description

Use the arp entry-check command to enable ARP spoofing attack prevention and specify an ARP spoofing attack prevention mode.

Use the undo arp entry-check command to disable ARP spoofing attack prevention.

By default, ARP spoofing attack prevention is disabled. The three attack prevention modes are mutually exclusive.

Examples

# Specify the ARP spoofing attack prevention mode as fixed-mac.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] arp entry-check fixed-mac

3.1.2 debugging arp entry-check

Syntax

debugging arp entry-check

undo debugging arp entry-check

View

User view

Parameters

None

Description

Use the debugging arp entry-check command to enable ARP spoofing attack prevention debugging.

Use the undo debugging arp entry-check command to disable ARP spoofing attack prevention debugging.

By default, ARP spoofing attack prevention debugging is disabled.

Related commands: arp entry-check

Examples

# Enable ARP spoofing attack prevention debugging.

<H3C> debugging arp entry-check

3.1.3 display arp entry-check

Syntax

display arp entry-check

View

Any view

Parameters

None

Description

Use the display arp entry-check command to display information about ARP spoofing attack prevention configuration.

Related commands: arp entry-check

Examples

# Display information about ARP spoofing attack prevention configuration.

<H3C> display arp entry-check

Arp entry-check mode is fixed-mac.

3.2 ARP Duplicate Gateway Attack Prevention Configuration Commands

3.2.1 anti-attack gateway-duplicate

Syntax

anti-attack gateway-duplicate { enable | disable }

View

System view

Parameters

enable: Enables ARP duplicate gateway attack prevention. With this function enabled, the switch generates an attack prevention entry after detecting a duplicate gateway address in an ARP packet.

disable: Disables ARP duplicate gateway attack prevention. With this function disabled, the switch does not generate any attack prevention entry after detecting a duplicate gateway address in an ARP packet.

Description

Use the anti-attack gateway-duplicate enable command to enable ARP duplicate gateway attack prevention. With this function enabled, when the switch detects a duplicate gateway address, it logs the event and prevents the attack based on the generated attack prevention entry.

Use the anti-attack gateway-duplicate disable command to disable ARP duplicate gateway attack prevention. With this function disabled, when the switch detects a duplicate gateway address, it logs the event but does not prevent the attack.

By default, ARP duplicate gateway attack prevention is disabled.

Examples

# Enable ARP duplicate gateway attack prevention.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] anti-attack gateway-duplicate enable

3.2.2 display anti-attack gateway-duplicate

Syntax

display anti-attack gateway-duplicate slot slotid

View

Any view

Parameters

slotid: Number of the slot where the LPU is located.

Description

Use the display anti-attack gateway-duplicate command to display information about the ARP duplicate gateway attack prevention entries of a specified LPU, including the MAC address and VLAN of the attacker, name of the port that detected the attacker, as well as state of the entries.

Use this command after the ARP duplicate gateway attack prevention is enabled.

Examples

# Display information about the ARP duplicate gateway attack prevention entries of the LPU in slot 9.

[H3C] display anti-attack gateway-duplicate slot 9

MAC Address VLAN Port Name State

0000-0000-0001 33 GigabitEthernet9/1/6 Inactive

0000-0000-0002 33 GigabitEthernet9/1/6 Active

--- 2 mac address(es) found ---

Table 3-1 Description on the fields of the display anti-attack gateway-duplicate command

Field	Description
MAC Address	MAC address of the attacker
VLAN	VLAN to which the attacker belongs
Port Name	Port that detected the attacker. If the port is an aggregated port, the primary port will be displayed.
State	State of an attack prevention entry. Inactive: Indicates the attack prevention entry is inactive due to deletion of the MAC address, configuration of a static ARP entry with the same MAC address, or deletion of the VLAN to which the attacker belongs. Active: Indicates the attack prevention entry is active.

3.3 ARP Packet Attack Prevention Configuration Commands

3.3.1 anti-attack arp

Syntax

anti-attack arp { enable | monitor | disable }

View

System view

Parameters

enable: Enables ARP packet attack prevention.

monitor: Enables the ARP packet attack monitoring function.

disable: Disables ARP packet attack prevention.

Description

Use the anti-attack arp enable command to enable ARP packet attack prevention. With this function enabled, if the number of ARP packets received from a MAC address exceeds the configured threshold, the switch generates an attack prevention entry to prevent such attacks, and logs the event at the same time.

Use the anti-attack arp monitor command to enable the ARP packet attack monitoring function. With this function enabled, if the number of ARP packets received from a MAC address exceeds the configured threshold, the switch logs the event but does not generate any attack prevention entry to filter the attacker.

Use the anti-attack arp disable command to disable ARP packet attack prevention.

By default, the ARP packet attack monitoring function is enabled.

Examples

# Enable ARP packet attack prevention.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] anti-attack arp enable

3.3.2 anti-attack arp aging-time

Syntax

anti-attack arp aging-time time

undo anti-attack arp aging-time

View

System view

Parameters

time: Aging time, in seconds, for ARP packet attack prevention entries, in the range of 60 to 6000.

Description

Use the anti-attack arp aging-time command to configure the aging time for ARP packet attack prevention entries.

Use the undo anti-attack arp aging-time command to restore the default.

By default, the aging time for ARP packet attack prevention entries is 600 seconds.

Examples

# Configure the aging time for ARP packet attack prevention entries as 1200 seconds.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] anti-attack arp aging-time 1200

3.3.3 anti-attack arp exclude-mac

Syntax

anti-attack arp exclude-mac mac-address

undo anti-attack arp exclude-mac mac-address

View

System view

Parameters

mac-address: Protected MAC address for ARP packet attack prevention.

Description

Use the anti-attack arp exclude-mac command to specify a protected MAC address for ARP packet attack prevention. A protected MAC address will not be filtered out by the packet attack prevention function even if it is the source of ARP attacks.

Use the undo anti-attack arp exclude-mac command to remove the specified protected MAC address.

The system supports up to 16 protected MAC addresses.

Examples

# Specify the protected MAC address for ARP packet attack prevention as 00-11-43-C2-6D-EF.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] anti-attack arp exclude-mac 00-11-43-C2-6D-EF

3.3.4 anti-attack arp threshold

Syntax

anti-attack arp threshold threshold-value

undo anti-attack arp threshold

View

System view

Parameters

threshold threshold-value: Threshold, in the range of 5 to 300 pps,

Description

Use the anti-attack arp threshold command to configure the threshold for ARP packet attack detection. If the number of ARP packets from a MAC address reaches the threshold within one second, the user of this MAC address is considered an attacker.

Use the undo anti-attack arp threshold command to restore the default.

By default, the threshold for ARP packet attack detection is 30 pps.

Examples

# Configure the threshold for ARP packet attack detection as 40 pps.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] anti-attack arp threshold 40

3.3.5 display anti-attack arp

Syntax

display anti-attack arp slot slotid

View

Any view

Parameters

slot slotid: Number of the slot where the LPU is located.

Description

Use the display anti-attack arp command to display information about the ARP packet attack prevention entries of a specified LPU, including the MAC address, VLAN, and port name of the attacker as well as state of the entries.

Use this command after the ARP packet attack prevention is enabled.

Examples

# Display information about the ARP packet attack prevention entries of the LPU in slot 3.

<H3C> display anti-attack arp slot 3

MAC Address VLAN Port Name State

0000-0000-0001 33 GigabitEthernet3/1/6 Inactive

0000-0000-0002 33 GigabitEthernet3/1/6 Active

--- 2 mac address(es) found ---

Table 3-2 Description on the fields of the display anti-attack arp command

Field	Description
MAC Address	MAC address of the attacker
VLAN	VLAN to which the attacker belongs
Port Name	Information about the port of the attacker. If the port is an aggregated port, information about the primary port will be displayed.
State	State of an attack prevention entry: l Inactive: Indicates the attack prevention entry is inactive due to deletion of the MAC address, configuration of a static ARP entry with the same MAC address, or deletion of the VLAN to which the attacker belongs. l Active: Indicates the attack prevention entry is active. The attack prevention entry is in one of the above two states after the ARP packet attack prevention is enabled. l Monitor: When the ARP packet attack monitoring function is enabled, the attack prevention entry is in this state after an attacker is detected.

Chapter 4 IP Packet Attack Prevention Configuration Commands

4.1 IP Packet Attack Prevention Configuration Commands

4.1.1 anti-attack ip

Syntax

anti-attack ip { disable | enable }

View

System view

Parameters

None

Description

Use the anti-attack ip enable command to enable IP packet attack prevention.

Use the anti-attack ip disable command to disable IP packet attack prevention.

By default, IP packet attack prevention is enabled.

Examples

# Disable IP packet attack prevention.

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C] anti-attack ip disable

4.1.2 anti-attack ttl1

Syntax

anti-attack ttl1 { enable | disable } slot slotid

View

System view

Parameters

slot slotid: Number of the slot where the LPU is located.

Description

Use the anti-attack ttl1 enable command to prevent the delivery of IP packets with the TTL field being 1 to the CPU, thus avoiding such packet attacks.

Use the anti-attack ttl1 disable command to restore the default.

By default, IP packets with the TTL field being 1 are delivered to the CPU for processing.

& Note:

Currently, the anti-attack ttl1 command is supported only on the LPUs suffixed with DB or DC.

Examples

# Prevent the delivery of the IP packets with the TTL field being 1 received on slot 3 to the CPU.

<H3C> system-view

System View: return to User View with Ctrl+Z.

[H3C] anti-attack ttl1 enable slot 3

H3C S9500 Command Manual-Release1648[v1.24]-02 IP Services Volume

I. In VLAN view:

II. In VLAN interface view:

3.1.2 debugging arp entry-check

3.3.2 anti-attack arp aging-time

4.1.1 anti-attack ip

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us