limit-value: Specifies the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds. It ranges from 2 to 1024.

Description

Use the arp source-suppression limit command to set the maximum number of packets with the same source IP address but unresolvable destination IP addresses that the device can receive in five seconds.

Use the undo arp source-suppression limit command to restore the default value, which is 10.

With this feature configured, whenever the number of packets with unresolvable destination IP addresses from a host within five seconds exceeds the specified threshold, the device suppress the sending host from triggering any ARP requests within the following five seconds.

Related commands: display arp source-suppression.

Examples

# Set the maximum number of packets with the same source address but unresolvable destination IP addresses that the device can receive in five seconds to 100.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

display arp source-suppression

Syntax

display arp source-suppression

View

Any view

Default Level

2: System level

Parameters

None

Description

Use the display arp source-suppression command to display information about the current ARP source suppression configuration.

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Current cache length: 16

Table 1-1 display arp source-suppression command output description

Field	Description
ARP source suppression is enabled	The ARP source suppression function is enabled
Current suppression limit	Maximum number of packets with the same source IP address but unresolvable IP addresses that the device can receive in five seconds
Current cache length	Size of cache used to record source suppression information

ARP Packet Rate Limit Configuration Commands

arp rate-limit

Syntax

arp rate-limit { disable | rate pps drop }

undo arp rate-limit

View

Layer-2 Ethernet interface view

Default Level

2: System level

Parameters

disable: Disables ARP packet rate limit.

rate pps: ARP packet rate in pps, in the range 50 to 500..

drop: Discards the exceeded packets.

Description

Use the arp rate-limit command to configure or disable ARP packet rate limit on an interface.

Use the undo arp rate-limit command to restore the default.

By default, ARP packet rate limit is enabled, and the ARP packet rate limit is 100 pps.

Examples

# Specify the ARP packet rate on GigabitEthernet1/0/1 as 50 pps, and exceeded packets will be discarded.

<Sysname> system-view

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] arp rate-limit rate 50 drop

Source MAC Address-Based ARP Attack Detection Configuration Commands

arp anti-attack source-mac

Syntax

arp anti-attack source-mac { filter | monitor }

undo arp anti-attack source-mac [ filter | monitor ]

View

System view

Default Level

2: System level

Parameters

filter: Specifies the filter mode.

monitor: Specifies the monitor mode.

Description

Use the arp anti-attack source-mac command to enable source MAC address-based ARP attack detection and specify the detection mode.

Use the undo arp anti-attack source-mac command to restore the default.

By default, source MAC address-based ARP attack detection is disabled.

After you enable this feature, the device checks the source MAC address of ARP packets received from the VLAN. If the number of ARP packets received from a source MAC address within five seconds exceeds the specified threshold:

l In filter detection mode, the device displays an alarm and filters out the ARP packets from the MAC address.

l In monitor detection mode, the device only displays an alarm.

Note that: If no detection mode is specified in the undo arp anti-attack source-mac command, both detection modes are disabled.

Examples

# Enable filter-mode source MAC address-based ARP attack detection

<Sysname> system-view

[Sysname] arp anti-attack source-mac filter

arp anti-attack source-mac aging-time

Syntax

arp anti-attack source-mac aging-time time

undo arp anti-attack source-mac aging-time

View

System view

Default Level

2: System level

Parameters

time: Aging timer for protected MAC addresses, in the range of 60 to 6000 seconds.

Description

Use the arp anti-attack source-mac aging-time command to configure the aging timer for protected MAC addresses.

Use the undo arp anti-attack source-mac aging-time command to restore the default.

By default, the aging timer for protected MAC addresses is 300 seconds (five minutes).

Examples

# Configure the aging timer for protected MAC addresses as 60 seconds.

<Sysname> system-view

[Sysname] arp anti-attack source-mac aging-time 60

arp anti-attack source-mac exclude-mac

Syntax

arp anti-attack source-mac exclude-mac mac-address&<1-10>

undo arp anti-attack source-mac exclude-mac [ mac-address&<1-10> ]

View

System view

Default Level

2: System level

Parameters

mac-address&<1-10>: MAC address list. The mac-address argument indicates a protected MAC address in the format H-H-H. &<1-10> indicates that you can configure up to 10 protected MAC addresses

Description

Use the arp anti-attack source-mac exclude-mac command to configure protected MAC addresses which will be excluded from ARP packet detection.

Use the undo arp anti-attack source-mac exclude-mac command to remove the configured protected MAC addresses.

By default, no protected MAC address is configured.

Note that: If no MAC address is specified in the undo arp anti-attack source-mac exclude-mac command, all the configured protected MAC addresses are removed.

Examples

# Configure a protected MAC address.

<Sysname> system-view

[Sysname] arp anti-attack source-mac exclude-mac 2-2-2

arp anti-attack source-mac threshold

Syntax

arp anti-attack source-mac threshold threshold-value

undo arp anti-attack source-mac threshold

View

System view

Default Level

2: System level

Parameters

threshold-value: Threshold for source MAC address-based ARP attack detection, in the range of 10 to 100.

Description

Use the arp anti-attack source-mac threshold command to configure the threshold for source MAC address-based ARP attack detection. If the number of ARP packets sent from a MAC address within five seconds exceeds this threshold, the device considers this an attack.

Use the undo arp anti-attack source-mac threshold command to restore the default.

By default, the threshold for source MAC address-based ARP attack detection is 50.

Examples

# Configure the threshold for source MAC address-based ARP attack detection as 30.

<Sysname> system-view

[Sysname] arp anti-attack source-mac threshold 30

display arp anti-attack source-mac

Syntax

display arp anti-attack source-mac { slot slot-number | interface interface-type interface-number }

View

Any view

Default Level

1: Monitor level

Parameters

interface interface-type interface-number: Displays attacking MAC addresses detected on the interface.

slot slot-number: Displays attacking MAC addresses detected on the specified device. The slot-number argument is the member number of the device in the IRF virtual device, which you can display with the display irf command. The value range for the slot-number argument depends on the number of members and numbering conditions in the current IRF virtual device. If no IRF virtual device exists, the slot-number argument is the current device number.

Description

Use the display arp anti-attack source-mac command to display attacking MAC addresses detected by source MAC address-based-ARP attack detection.

On a device, if no interface is specified, the display arp anti-attack source-mac command displays attacking MAC addresses detected on all the interfaces.

Examples

<Sysname> display arp anti-attack source-mac slot 1

Source-MAC VLAN ID Interface Aging-time

23f3-1122-3344 4094 GE1/0/1 10

23f3-1122-3355 4094 GE1/0/2 30

23f3-1122-33ff 4094 GE1/0/3 25

23f3-1122-33ad 4094 GE1/0/4 30

23f3-1122-33ce 4094 GE1/0/5 2

ARP Packet Source MAC Address Consistency Check Configuration Commands

arp anti-attack valid-ack enable

Syntax

arp anti-attack valid-check enable

undo arp anti-attack valid-check enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the arp anti-attack valid-check enable command to enable ARP packet source MAC address consistency check on the gateway. After you execute this command, the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message.

Use the undo arp anti-attack valid-check enable command to restore the default.

By default, ARP packet source MAC address consistency check is disabled.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp anti-attack valid-check enable

ARP Active Acknowledgement Configuration Commands

arp anti-attack active-ack enable

Syntax

arp anti-attack active-ack enable

undo arp anti-attack active-ack enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement function.

Use the undo arp anti-attack active-ack enable command to restore the default.

By default, the ARP active acknowledgement function is disabled.

Typically, this feature is configured on gateway devices to identify invalid ARP packets.

Examples

# Enable the ARP active acknowledgement function.

<Sysname> system-view

[Sysname] arp anti-attack active-ack enable

ARP Detection Configuration Commands

arp detection enable

Syntax

arp detection enable

undo arp detection enable

View

VLAN view

Default Level

2: System level

Parameters

None

Description

Use the arp detection enable command to enable ARP detection for the VLAN.

Use the undo arp detection enable command to restore the default.

By default, ARP detection is disabled for a VLAN.

Examples

# Enable ARP detection for VLAN 1.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-Vlan1] arp detection enable

arp detection trust

Syntax

arp detection trust

undo arp detection trust

View

Layer 2 Ethernet port view

Default Level

2: System level

Parameters

None

Description

Use the arp detection trust command to configure the port as an ARP trusted port.

Use the undo arp detection trust command to restore the default.

By default, the port is an ARP untrusted port.

Examples

# Configure GigabitEthernet1/0/1 as an ARP trusted port.

<Sysname> system-view

[Sysname] interface GigabitEthernet1/0/1

[Sysname-GigabitEthernet1/0/1] arp detection trust

arp detection validate

Syntax

arp detection validate { dst-mac | ip | src-mac } *

undo arp detection validate [ dst-mac | ip | src-mac ] *

View

System view

Default Level

2: System level

Parameters

dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests will be checked.

src-mac: Checks whether the source MAC address of an ARP packet is identical to that in its Ethernet header. If they are identical, the packet is considered valid; otherwise, the packet is discarded.

Description

Use the arp detection validate command to configure ARP detection based on specified objects. You can specify one or more objects in one command line.

Use the undo arp detection validate command to remove detected objects. If no keyword is specified, all the detected objects are removed.

By default, ARP detection based on specified objects is disabled.

Examples

# Enable the checking of the MAC addresses and IP addresses of ARP packets.

<Sysname> system-view

[Sysname] arp detection validate dst-mac src-mac ip

display arp detection

Syntax

display arp detection

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display arp detection command to display the VLAN(s) enabled with ARP detection.

Related commands: arp detection enable.

Examples

# Display the VLANs enabled with ARP detection.

<Sysname> display arp detection

ARP detection is enabled in the following VLANs:

1, 2, 4-5

Table 1-2 display arp detection command output description

Field	Description
ARP detection is enabled in the following VLANs	VLANs that are enabled with ARP detection

display arp detection statistics

Syntax

display arp detection statistics [ interface interface-type interface-number ]

View

Any view

Default Level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the ARP detection statistics of a specified interface.

Description

Use the display arp detection statistics command to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed.

Examples

# Display the ARP detection statistics of all the interfaces.

<Sysname> display arp detection statistics

State: U-Untrusted T-Trusted

ARP packets dropped by ARP inspect checking:

Interface(State) IP Src-MAC Dst-MAC Inspect

BAGG1(U) 0 0 0 0

GE1/0/1(T) 0 0 0 0

GE1/0/2(U) 0 0 0 0

GE1/0/3(U) 0 0 0 0

GE1/0/4(U) 0 0 0 0

GE1/0/5(U) 0 0 0 0

GE1/0/6(U) 0 0 0 0

GE1/0/7(U) 0 0 0 0

GE1/0/8(U) 0 0 0 0

GE1/0/9(U) 0 0 0 0

GE1/0/10(U) 0 0 0 0

GE1/0/11(U) 0 0 0 0

Table 1-3 display arp detection statistics command output description

Field	Description
Interface(State)	State T or U identifies a trusted or untrusted port.
IP	Number of ARP packets discarded due to invalid source and destination IP addresses
Src-MAC	Number of ARP packets discarded due to invalid source MAC address
Dst-MAC	Number of ARP packets discarded due to invalid destination MAC address
Inspect	Number of ARP packets that failed to pass ARP detection (based on static IP source guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses)

reset arp detection statistics

Syntax

reset arp detection statistics [ interface interface-type interface-number ]

View

User view

Default Level

2: System level

Parameters

interface interface-type interface-number: Clears the ARP detection statistics of a specified interface.

Description

Use the reset arp detection statistics command to clear ARP detection statistics of a specified interface. If no interface is specified, the statistics of all the interfaces will be cleared.

Examples

# Clear the ARP detection statistics of all the interfaces.

<Sysname> reset arp detection statistics

ARP Automatic Scanning and Fixed ARP Configuration Commands

arp fixup

Syntax

arp fixup

View

System view

Default Level

2: System level

Parameters

None

Description

Use the arp fixup command to change dynamic ARP entries into static ARP entries.

Note that:

l The static ARP entries changed from dynamic ARP entries have the same attributes as the static ARP entries manually configured. Use the arp fixup command to change the recently created dynamic ARP entries into static.

l The number of static ARP entries changed from dynamic ARP entries is restricted by the number of static ARP entries that the device supports. As a result, the device may fail to change all dynamic ARP entries into static.

l Suppose that the number of dynamic ARP entries is D and that of the existing static ARP entries is S. When the dynamic ARP entries are changed into static, new dynamic ARP entries may be created (suppose the number is M) and some of the dynamic ARP entries may be aged out (suppose the number is N). After the process is complete, the number of static ARP entries is D + S + M – N.

l To delete a specific static ARP entry changed from a dynamic one, use the undo arp ip-address [ vpn-instance-name ] command. To delete all such static ARP entries, use the reset arp all or reset arp static command.

Examples

# Enable Fixed ARP.

<Sysname> system-view

[Sysname] arp fixup

arp scan

Syntax

arp scan [ start-ip-address to end-ip-address ]

View

VLAN interface view

Default Level

2: System level

Parameters

start-ip-address: Start IP address of the scanning range.

end-ip-address: End IP address of the scanning range. The end IP address must be higher than or equal to the start IP address.

Description

Use the arp scan command to enable ARP automatic scanning.

Note that:

l If start IP and end IP addresses are specified, the device scans the specific address range for neighbors and learns their ARP entries. If not, the device only scans the network where the primary IP address of the interface resides for neighbors.

l The start IP address and end IP address must be on the same network as the primary IP address or manually configured secondary IP addresses of the interface.

l IP addresses already exist in ARP entries are not scanned.

l ARP automatic scanning may take some time. To stop an ongoing scan, press Ctrl + C. Dynamic ARP entries are created based on ARP replies received before the scan is terminated.

Examples

# Configure the device to scan the network where the primary IP address of VLAN-interface 2 resides for neighbors.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp scan

# Configure the device to scan a specific address range for neighbors.

<Sysname> system-view

[Sysname] interface vlan-interface 2

[Sysname-Vlan-interface2] arp scan 1.1.1.1 to 1.1.1.20

ARP Gateway Protection Configuration Commands

arp filter source

Syntax

arp filter source ip-address

undo arp filter source ip-address

View

Layer 2 Ethernet interface view

Default Level

2: System level

Parameters

ip-address: IP address of a protected gateway.

Description

Use the arp filter source command to enable ARP gateway protection for a specified gateway.

Use the undo arp filter source command to disable ARP gateway protection for a specified gateway.

By default, ARP gateway protection is disabled.

Note:

l You can enable ARP gateway protection for up to eight gateways on a port.

l Commands arp filter source and arp filter binding cannot be both configured on a port.

Examples

# Enable ARP gateway protection for the gateway with IP address 1.1.1.1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-gigabitethernet1/0/1] arp filter source 1.1.1.1

ARP Filtering Configuration Commands

arp filter binding

Syntax

arp filter binding ip-address mac-address

undo arp filter binding ip-address

View

Layer 2 Ethernet interface view

Default Level

2: System level

Parameters

ip-address: Permitted sender IP address.

mac-address: Permitted sender MAC address.

Description

Use the arp filter binding command to configure an ARP filtering entry. If the sender IP and MAC addresses of an ARP packet match an ARP filtering entry, the ARP packet is permitted. If not, it is discarded.

Use the undo arp filter binding command to remove an ARP filtering entry.

By default, no ARP filtering entry is configured.

Note:

l You can configure up to eight ARP filtering entries on a port.

l Commands arp filter source and arp filter binding cannot be both configured on a port.

Examples

# Configure an ARP filtering entry with permitted sender IP address 1.1.1.1 and MAC address 2-2-2.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-gigabitethernet1/0/1] arp filter binding 1.1.1.1 2-2-2

TOP

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.

Part 8 - Security

Table of Content

16-ARP Attack Protection Commands

display arp source-suppression