- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
02-ARP Commands | 89.11 KB |
Table of Contents
Gratuitous ARP Configuration Commands
gratuitous-arp-learning enable
2 Proxy ARP Configuration Commands
Proxy ARP Configuration Commands
3 ARP Attack Defense Configuration Commands
ARP Source Suppression Configuration Commands
display arp source-suppression
ARP Defense Against IP Packet Attack Configuration Commands
ARP Detection Configuration Commands
display arp detection statistics
reset arp detection statistics
ARP Configuration Commands
arp check enable
Syntax
arp check enable
undo arp check enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp check enable command to enable ARP entry check. With this function enabled, configuring such a static ARP entry is not allowed; otherwise, the system displays error messages.
Use the undo arp check enable command to disable the function. After the ARP entry check is disabled, you can configure such a static ARP entry on the device.
By default, ARP entry check is enabled.
Examples
# Enable ARP entry check.
<Sysname> system-view
[Sysname] arp check enable
arp max-learning-num
Syntax
arp max-learning-num number
undo arp max-learning-num
View
VLAN interface view
Default Level
2: System level
Parameters
number: Maximum number of dynamic ARP entries that an interface can learn, in the range 1 to 8192.
Description
Use the arp max-learning-num command to configure the maximum number of dynamic ARP entries that a VLAN interface can learn.
Use the undo arp max-learning-num command to restore the default.
Examples
# Specify VLAN-interface 40 to learn up to 500 dynamic ARP entries.
<Sysname> system-view
[Sysname] interface vlan-interface 40
[Sysname-Vlan-interface40] arp max-learning-num 500
arp static
Syntax
arp static ip-address mac-address [ vlan-id interface-type interface-number ] [ vpn-instance vpn-instance-name ]
undo arp ip-address [ vpn-instance-name ]
View
System view
Default Level
2: System level
Parameters
ip-address: IP address in an ARP entry.
mac-address: MAC address in an ARP entry, in the format H-H-H.
vlan-id: ID of a VLAN to which a static ARP entry belongs to, in the range 1 to 4094.
interface-type interface-number: Interface type and interface number.
vpn-instance vpn-instance-name: Name of a VPN instance, a case-sensitive string of 1 to 31 characters.
Description
Use the arp static command to configure a static ARP entry in the ARP mapping table.
Use the undo arp command to remove an ARP entry.
Note that:
l A static ARP entry is effective when the device works normally. However, when the VLAN or VLAN interface to which an ARP entry corresponds is deleted, the entry, if permanent, will be deleted, and if non-permanent and resolved, will become unresolved.
l The vlan-id argument is used to specify the corresponding VLAN of an ARP entry and must be the ID of an existing VLAN. In addition, the Ethernet interface following the argument must belong to that VLAN. The VLAN interface of the VLAN must have been created.
l If both the vlan-id and ip-address arguments are specified, the IP address of the VLAN interface corresponding to the vlan-id argument must belong to the same network segment as the IP address specified by the ip-address argument.
l If no VPN instance is specified in the undo arp command, corresponding ARP entries of all VPN instances are removed.
Related commands: reset arp, display arp.
Examples
# Configure a static ARP entry, with the IP address being 202.38.10.2, the MAC address being 000f-e201-0000, and the outbound interface being GigabitEthernet2/0/10 of VLAN 10.
[Sysname] arp static 202.38.10.2 000f-e201-0000 10 gigabitethernet 2/0/10
arp timer aging
Syntax
arp timer aging aging-time
undo arp timer aging
View
System view
Default Level
2: System level
Parameters
aging-time: Aging time for dynamic ARP entries in minutes, in the range 1 to 1,440.
Description
Use the arp timer aging command to set aging time for dynamic ARP entries.
Use the undo arp timer aging command to restore the default.
By default, the aging time for dynamic ARP entries is 20 minutes.
Related commands: display arp timer aging.
Examples
# Set aging time for dynamic ARP entries to 10 minutes.
<Sysname> system-view
display arp
Syntax
display arp [ [ all | dynamic | static ] [ slot slot-id ] | vlan vlan-id | interface interface-type interface-number ] [ [ verbose ] [ | { begin | exclude | include } regular-expression ] | count ]
View
Any view
Default Level
1: Monitor level
Parameters
all: Displays all ARP entries.
dynamic: Displays dynamic ARP entries.
static: Displays static ARP entries.
slot slot-id: Displays the ARP entries of the specified slot.
vlan vlan-id: Displays the ARP entries of the specified VLAN. The VLAN ID ranges from 1 to 4,094.
interface interface-type interface-number: Displays the ARP entries of the interface specified by the argument interface-type interface-number.
verbose: Displays detailed information about ARP entries.
|: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Basic System Configuration in the System Volume.
begin: Displays ARP entries from the first one containing the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries containing the specified string.
regular-expression: A case-sensitive string for matching, consisting of 1 to 256 characters.
count: Displays the number of ARP entries.
Description
Use the display arp command to display ARP entries in the ARP mapping table.
If no parameter is specified or the all keyword is specified, all ARP entries are displayed.
Related commands: arp static, reset arp.
Examples
# Display the detailed information of all ARP entries.
<Sysname> display arp all verbose
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
Vpn-instance Name
20.1.1.1 000f-e200-0001 N/A N/A N/A S
test
193.1.1.70 00e0-fe50-6503 100 GE2/0/1 DIS D
[No Vrf]
192.168.0.115 000d-88f7-9f7d 1 GE2/0/2 DIS D
[No Vrf]
192.168.0.39 0012-a990-2241 1 GE2/0/3 DIS D
[No Vrf]
Table 1-1 display arp command output description
Field |
Description |
IP Address |
IP address in an ARP entry |
MAC Address |
MAC address in an ARP entry |
VLAN ID |
VLAN ID contained a static ARP entry |
Interface |
Outbound interface in an ARP entry |
Aging |
Aging time for a dynamic ARP entry in minutes. “DIS” means the ARP entry is learned from an interface board. (The detailed aging time can be displayed only when you view the dynamic ARP entries of the specified interface board.) |
Type |
ARP entry type: D for dynamic, S for static, and A for authorized. |
Vpn-instance Name |
Name of VPN instance. [No Vrf] means no VPN instance is configured for the corresponding ARP. |
# Display the number of all ARP entries.
<Sysname> display arp all count
Total Entry(ies): 4
display arp ip-address
Syntax
display arp ip-address [ slot slot-id ] [ verbose ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default Level
1: Monitor level
Parameters
ip-address: Displays the ARP entry for the specified IP address.
slot slot-id: Displays the ARP entry for the specified slot.
verbose: Displays the detailed information about ARP entries.
|: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Basic System Configuration in the System Volume.
begin: Displays the ARP entries from the first one containing the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries that contain the specified string.
regular-expression: A case-sensitive string for matching, consisting of 1 to 256 characters.
Description
Use the display arp ip-address command to display the ARP entry for a specified IP address.
Related commands: arp static, reset arp.
Examples
# Display the corresponding ARP entry for the IP address 20.1.1.1.
<Sysname> display arp 20.1.1.1
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
20.1.1.1 000f-e200-0001 N/A N/A N/A S
display arp timer aging
Syntax
display arp timer aging
View
Any view
Default Level
2: System level
Parameters
None
Description
Use the display arp timer aging command to display the aging time for dynamic ARP entries.
Related commands: arp timer aging.
Examples
# Display the aging time for dynamic ARP entries.
<Sysname> display arp timer aging
Current ARP aging time is 10 minute(s)
display arp vpn-instance
Syntax
display arp vpn-instance vpn-instance-name [ | { begin | exclude | include } regular-expression | count ]
View
Any view
Default Level
1: Monitor level
Parameters
vpn-instance-name: Name of VPN instance, a case-sensitive string of 1 to 31 characters excluding spaces. With this argument specified, the ARP entries for a specific VPN instance are displayed.
|: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Basic System Configuration in the System Volume.
begin: Displays the ARP entries from the first one that contains the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries that contain the specified string.
regular-expression: A case-sensitive character string for matching, consisting of 1 to 256 characters.
count: Displays the number of ARP entries.
Description
Use the display arp vpn-instance command to display the ARP entries for a specified VPN instance.
Related commands: arp static and reset arp.
Examples
# Display ARP entries for the VPN instance named test.
<Sysname> display arp vpn-instance test
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
20.1.1.1 000f-e200-0001 N/A N/A N/A S
naturemask-arp enable
Syntax
naturemask-arp enable
undo naturemask-arp enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the naturemask-arp enable command to cancel the restriction that ARP requests must be from the same subnet. In this case, ARP requests from a natural network are supported.
Use the undo naturemask-arp enable command to restore the default.
By default, the support for ARP requests from a natural network is disabled.
Examples
# Enable the support for ARP requests from a natural network.
<Sysname> system-view
[Sysname] naturemask-arp enable
reset arp
Syntax
reset arp { all | dynamic | slot slot-id | static | interface interface-type interface-number }
View
User view
Default Level
2: System level
Parameters
all: Clears all ARP entries.
dynamic: Clears all dynamic ARP entries.
static: Clears all static ARP entries.
slot slot-id: Clears the ARP entries for the specified slot.
interface interface-type interface-number: Clears the ARP entries for the interface specified by the argument interface-type interface-number.
Description
Use the reset arp command to clear ARP entries except authorized ARP entries from the ARP mapping table.
With interface interface-type interface-number or slot slot-id specified, the command clears only dynamic ARP entries of the interface or the slot.
Related commands: arp static, display arp.
Examples
# Clear all static ARP entries.
<Sysname> reset arp static
Gratuitous ARP Configuration Commands
gratuitous-arp-sending enable
Syntax
gratuitous-arp-sending enable
undo gratuitous-arp-sending enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the gratuitous-arp-sending enable command to enable a device to send gratuitous ARP packets when receiving ARP requests from another network segment.
Use the undo gratuitous-arp-sending enable command to restore the default.
By default, a device cannot send gratuitous ARP packets when receiving ARP requests from another network segment.
Examples
# Disable a device from sending gratuitous ARP packets.
<Sysname> system-view
[Sysname] undo gratuitous-arp-sending enable
gratuitous-arp-learning enable
Syntax
gratuitous-arp-learning enable
undo gratuitous-arp-learning enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function.
Use the undo gratuitous-arp-learning enable command to disable the function.
By default, the function is enabled.
Examples
# Enable the gratuitous ARP packet learning function.
<Sysname> system-view
[Sysname] gratuitous-arp-learning enable
Proxy ARP Configuration Commands
display local-proxy-arp
Syntax
display local-proxy-arp [ interface Vlan-interface vlan-id ]
View
Any view
Default Level
2: System level
Parameters
interface Vlan-interface vlan-id: Displays the local proxy ARP status of the specified VLAN interface.
Description
Use the display local-proxy-arp command to display the status of the local proxy ARP.
Related commands: local-proxy-arp enable.
Examples
# Display the status of the local proxy ARP on VLAN-interface 2.
<Sysname> display local-proxy-arp interface vlan-interface 2
Interface Vlan-interface2
Local Proxy ARP status: enabled
display proxy-arp
Syntax
display proxy-arp [ interface Vlan-interface vlan-id ]
View
Any view
Default Level
2: System level
Parameters
interface Vlan-interface vlan-id: Displays the proxy ARP status of the specified VLAN interface.
Description
Use the display proxy-arp command to display the proxy ARP status.
Related commands: proxy-arp enable.
Examples
# Display the status of the proxy ARP status on VLAN-interface 1.
<Sysname> display proxy-arp interface vlan-interface 1
Interface Vlan-interface1
Proxy ARP status: disabled
local-proxy-arp enable
Syntax
local-proxy-arp enable
undo local-proxy-arp enable
View
VLAN interface view
Default Level
2: System level
Parameters
None
Description
Use the local-proxy-arp enable command to enable local proxy ARP.
Use the undo local-proxy-arp enable command to disable local proxy ARP.
By default, local proxy ARP is disabled.
Related commands: display local-proxy-arp.
Examples
# Enable local proxy ARP on VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] local-proxy-arp enable
proxy-arp enable
Syntax
proxy-arp enable
undo proxy-arp enable
View
VLAN interface view, Ethernet interface view
Default Level
2: System level
Parameters
None
Description
Use the proxy-arp enable command to enable proxy ARP.
Use the undo proxy-arp enable command to disable proxy ARP.
By default, proxy ARP is disabled.
Related commands: display proxy-arp.
Examples
# Enable proxy ARP on VLAN-interface 2.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] proxy-arp enable
ARP Source Suppression Configuration Commands
arp source-suppression enable
Syntax
arp source-suppression enable
undo arp source-suppression enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp source-suppression enable command to enable the ARP source suppression function.
Use the undo arp source-suppression enable command to disable the function.
By default, the ARP source suppression function is disabled.
Related commands: display arp source-suppression.
Examples
# Enable the ARP source suppression function.
<Sysname> system-view
[Sysname] arp source-suppression enable
arp source-suppression limit
Syntax
arp source-suppression limit limit-value
undo arp source-suppression limit
View
System view
Default Level
2: System level
Parameters
limit-value: Specifies the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds. It ranges from 2 to 1024.
Description
Use the arp source-suppression limit command to set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds.
Use the undo arp source-suppression limit command to restore the default value, which is 10.
With this feature configured, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds the specified threshold, the device suppress the sending host from triggering any ARP requests within the following five seconds.
Related commands: display arp source-suppression.
Examples
# Set the maximum number of packets with the same source address but unresolvable destination IP addresses that the device can receive in five seconds to 100.
<Sysname> system-view
[Sysname] arp source-suppression limit 100
display arp source-suppression
Syntax
display arp source-suppression
View
Any view
Default Level
2: System level
Parameters
None
Description
Use the display arp source-suppression command to display information about the current ARP source suppression configuration.
Examples
# Display information about the current ARP source suppression configuration.
<Sysname> display arp source-suppression
ARP source suppression is enabled
Current suppression limit: 100
Current cache length: 16
Table 3-1 display arp source-suppression command output description
Field |
Description |
ARP source suppression is enabled |
The ARP source suppression function is enabled |
Current suppression limit |
Maximum number of packets with the same source IP address but unresolvable IP addresses that the device can receive in five seconds |
Current cache length |
Size of cache used to record source suppression information |
ARP Defense Against IP Packet Attack Configuration Commands
arp resolving-route enable
Syntax
arp resolving-route enable
undo arp resolving-route enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp resolving-route enable command to enable ARP defense against IP packet attacks.
Use the undo arp resolving-route enable command to disable the function.
By default, the support for ARP defense against IP packet attacks is enabled.
Examples
# Enable ARP defense against IP packet attacks.
<Sysname> system-view
[Sysname] arp resolving-route enable
ARP Detection Configuration Commands
arp detection enable
Syntax
arp detection enable
undo arp detection enable
View
VLAN view
Default Level
2: System level
Parameters
None
Description
Use the arp detection enable command to enable ARP detection for the VLAN.
Use the undo arp detection enable command to disable ARP detection for the VLAN.
By default, ARP detection is disabled for a VLAN.
Examples
# Enable ARP detection for VLAN 1.
<Sysname> system-view
[Sysname] vlan 1
[Sysname-Vlan1] arp detection enable
arp detection trust
Syntax
arp detection trust
undo arp detection trust
View
Ethernet port view
Default Level
2: System level
Parameters
None
Description
Use the arp detection trust command to configure the port as an ARP trusted port.
Use the undo arp detection trust command to configure the port as an ARP untrusted port.
By default, the port is an ARP untrusted port.
Examples
# Configure GigabitEthernet2/0/1 as an ARP trusted port.
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] arp detection trust
arp detection validate
Syntax
arp detection validate { dst-mac | ip | src-mac } *
undo arp detection validate [ dst-mac | ip | src-mac ] *
View
System view
Default Level
2: System level
Parameters
dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests will be checked.
src-mac: Checks whether the source MAC address of an ARP packet is identical to that in its Ethernet header. If they are identical, the packet is considered valid; otherwise, the packet is discarded.
Description
Use the arp detection validate command to configure ARP detection based on specified objects. You can specify one or more objects in one command line.
Use the undo arp detection validate command to remove detected objects. If no keyword is specified, all the detected objects are removed.
By default, the checking of the MAC addresses and IP addresses of ARP packets is disabled.
Examples
# Enable the checking of the MAC addresses and IP addresses of ARP packets.
<Sysname> system-view
[Sysname] arp detection validate dst-mac src-mac ip
arp rate-limit
Syntax
arp rate-limit { disable | rate pps drop }
undo arp rate-limit
View
Ethernet port view
Default Level
2: System level
Parameters
disable: Disables ARP packet rate limit.
pps: ARP packet rate in pps, in the range 50 to 500.
drop: Discards the exceeded packets.
Description
Use the arp rate-limit command to configure or disable ARP packet rate limit. If a rate is specified, exceeded packets are discarded.
Use the undo arp rate-limit command to restore the default.
By default, ARP packet rate limit is enabled, and the ARP packet rate is 100 pps.
Examples
# Specify the ARP packet rate on GigabitEthernet 2/0/1 as 30 pps, and exceeded packets are discarded.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] arp rate-limit rate 30 drop
display arp detection
Syntax
display arp detection
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display arp detection command to display the VLAN(s) enabled with ARP detection.
Related commands: arp detection enable.
Examples
# Display the VLANs enabled with ARP detection.
<Sysname> display arp detection
ARP detection is enabled in the following VLANs:
1, 2, 4-5
Table 3-2 display arp detection command output description
Field |
Description |
ARP detection is enabled in the following VLANs |
VLANs that are enabled with ARP detection |
display arp detection statistics
Syntax
display arp detection statistics [ interface interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
Parameters
interface interface-type interface-number: Displays the ARP detection statistics of a specified interface.
Description
Use the display arp detection statistics command to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed.
Examples
# Display the ARP detection statistics of GigabitEthernet2/0/1.
<Sysname> display arp detection statistics interface gigabitethernet2/0/1
State: U-Untrusted T-Trusted
ARP packets dropped by ARP inspect checking:
Interface(State) IP Src-MAC Dst-MAC Inspect
GE2/0/1(U) 40 0 0 78
Table 3-3 display arp detection statistics command output description
Field |
Description |
Interface(State) |
State T or U identifies a trusted or untrusted port. |
IP |
Number of ARP packets discarded due to invalid source and destination IP addresses |
Src-MAC |
Number of ARP packets discarded due to invalid source MAC address |
Dst-MAC |
Number of ARP packets discarded due to invalid destination MAC address |
Inspect |
Number of ARP packets that failed to pass ARP detection (based on DHCP snooping entries/802.1x security entries/static IP-to-MAC bindings) |
reset arp detection statistics
Syntax
reset arp detection statistics [ interface interface-type interface-number ]
View
User view
Default Level
2: System level
Parameters
interface interface-type interface-number: Clears the ARP detection statistics of a specified interface.
Description
Use the reset arp detection statistics command to clear ARP detection statistics of a specified interface. If no interface is specified, the statistics of all the interfaces will be cleared.
Examples
# Clear the ARP detection statistics of all the interfaces.
<Sysname> reset arp detection statistics