Login
| Title | Size | Downloads |
|---|---|---|
| H3C S5120-SI Series Ethernet Switches Command Reference-Release 1101-6W105-ARP Commands.pdf | 89.88 KB |
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-ARP Commands | 89.88 KB |
Table of Contents
Gratuitous ARP Configuration Commands
gratuitous-arp-learning enable
2 ARP Attack Defense Configuration Commands
ARP Active Acknowledgement Configuration Commands
arp anti-attack active-ack enable
Source MAC Address Based ARP Attack Detection Configuration Commands
arp anti-attack source-mac aging-time
arp anti-attack source-mac exclude-mac
arp anti-attack source-mac threshold
display arp anti-attack source-mac
ARP Packet Rate Limit Configuration Commands
ARP Detection Configuration Commands
display arp detection statistics
reset arp detection statistics
Periodic Sending of Gratuitous ARP Packets Configuration Commands
arp anti-attack send-gratuitous-arp
ARP Configuration Commands
arp check enable
Syntax
arp check enable
undo arp check enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp check enable command to enable ARP entry check. With this function enabled, the device cannot learn any ARP entry with a multicast MAC address. Configuring such a static ARP entry is not allowed either; otherwise, the system displays error messages.
Use the undo arp check enable command to disable the function. After the ARP entry check is disabled, the device can learn the ARP entry with a multicast MAC address, and you can also configure such a static ARP entry on the device.
By default, ARP entry check is enabled.
Examples
# Enable ARP entry check.
<Sysname> system-view
[Sysname] arp check enable
arp max-learning-num
Syntax
arp max-learning-num number
undo arp max-learning-num
View
Ethernet interface view, VLAN interface view, Layer-2 aggregate interface view
Default Level
2: System level
Parameters
number: Maximum number of dynamic ARP entries that an interface can learn. The value is in the range 0 to 256.
Description
Use the arp max-learning-num command to configure the maximum number of dynamic ARP entries that an interface can learn.
Use the undo arp max-learning-num command to restore the default.
By default, the maximum number of dynamic ARP entries that a interface can learn is 256.
Examples
# Specify VLAN-interface 40 to learn up to 50 dynamic ARP entries.
<Sysname> system-view
[Sysname] interface vlan-interface 40
[Sysname-Vlan-interface40] arp max-learning-num 50
# Specifiy Layer-2 aggregate interface Bridge-aggregation 1 to learn up to 100 dynamic ARP entries.
<Sysname> system-view
[Sysname] interface bridge-aggregation 1
[Sysname-Bridge-Aggregation1] arp max-learning-num 100
arp static
Syntax
arp static ip-address mac-address [ vlan-id interface-type interface-number ]
undo arp ip-address
View
System view
Default Level
2: System level
Parameters
ip-address: IP address in an ARP entry.
mac-address: MAC address in an ARP entry, in the format H-H-H.
vlan-id: ID of a VLAN to which a static ARP entry belongs to, in the range 1 to 4094.
interface-type interface-number: Interface type and interface number.
Description
Use the arp static command to configure a static ARP entry in the ARP mapping table.
Use the undo arp command to remove an ARP entry.
Note that:
l A static ARP entry is effective when the device works normally. However, when the VLAN or VLAN interface to which an ARP entry corresponds is deleted, the entry, if permanent, will be deleted, and if non-permanent and resolved, will become unresolved.
l The vlan-id argument is used to specify the corresponding VLAN of an ARP entry and must be the ID of an existing VLAN. In addition, the Ethernet interface following the argument must belong to that VLAN. The VLAN interface of the VLAN must have been created.
l If both the vlan-id and ip-address arguments are specified, the IP address of the VLAN interface corresponding to the vlan-id argument must belong to the same network segment as the IP address specified by the ip-addres argument.
Related commands: reset arp, display arp.
Examples
# Configure a static ARP entry, with the IP address being 202.38.10.2, the MAC address being 00e0-fc01-0000, and the outbound interface being GigabitEthernet 1/0/1 of VLAN 10.
<Sysname> system-view
[Sysname] arp static 202.38.10.2 00e0-fc01-0000 10 GigabitEthernet 1/0/1
arp timer aging
Syntax
arp timer aging aging-time
undo arp timer aging
View
System view
Default Level
2: System level
Parameters
aging-time: Aging time for dynamic ARP entries in minutes, in the range 1 to 1,440.
Description
Use the arp timer aging command to set aging time for dynamic ARP entries.
Use the undo arp timer aging command to restore the default.
By default, the aging time for dynamic ARP entries is 20 minutes.
Related commands: display arp timer aging.
Examples
# Set aging time for dynamic ARP entries to 10 minutes.
<Sysname> system-view
display arp
Syntax
display arp [ [ all | dynamic | static ] | vlan vlan-id | interface interface-type interface-number ] [ [ | { begin | exclude | include } regular-expression ] | count ]
View
Any view
Default Level
1: Monitor level
Parameters
all: Displays all ARP entries.
dynamic: Displays dynamic ARP entries.
static: Displays static ARP entries.
vlan vlan-id: Displays the ARP entries of the specified VLAN. The VLAN ID ranges from 1 to 4,094.
interface interface-type interface-number: Displays the ARP entries of the interface specified by the argument interface-type interface-number.
|: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Basic System Configuration.
begin: Displays ARP entries from the first one containing the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries containing the specified string.
regular-expression: A case-sensitive string for matching, consisting of 1 to 256 characters.
count: Displays the number of ARP entries.
Description
Use the display arp command to display ARP entries in the ARP mapping table.
If no parameter is specified, all ARP entries are displayed.
Related commands: arp static, reset arp.
Examples
# Display the detailed information of all ARP entries.
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
192.168.0.57 00e0-fc00-000b 1 GE1/0/23 10 D
192.168.0.56 000f-cb00-5601 1 GE1/0/23 10 D
Table 1-1 display arp command output description
|
Field |
Description |
|
IP Address |
IP address in an ARP entry |
|
MAC Address |
MAC address in an ARP entry |
|
VLAN ID |
VLAN ID contained a static ARP entry |
|
Interface |
Outbound interface in an ARP entry |
|
Aging |
Aging time for a dynamic ARP entry in minutes (“N/A” means unknown aging time or no aging time) |
|
Type |
ARP entry type: D for dynamic, S for static. |
# Display the number of all ARP entries.
<Sysname> display arp all count
Total Entry(ies): 2
display arp ip-address
Syntax
display arp ip-address [ | { begin | exclude | include } regular-expression ]
View
Any view
Default Level
1: Monitor level
Parameters
ip-address: Displays the ARP entry for the specified IP address.
|: Uses a regular expression to specify the ARP entries to be displayed. For detailed information about regular expressions, refer to Basic System Configuration.
begin: Displays the ARP entries from the first one containing the specified string.
exclude: Displays the ARP entries that do not contain the specified string.
include: Displays the ARP entries that contain the specified string.
regular-expression: A case-sensitive string for matching, consisting of 1 to 256 characters.
Description
Use the display arp ip-address command to display the ARP entry for a specified IP address.
Related commands: arp static, reset arp.
Examples
# Display the corresponding ARP entry for the IP address 20.1.1.1.
<Sysname> display arp 20.1.1.1
Type: S-Static D-Dynamic
IP Address MAC Address VLAN ID Interface Aging Type
20.1.1.1 00e0-fc00-0001 N/A N/A N/A S
display arp timer aging
Syntax
display arp timer aging
View
Any view
Default Level
2: System level
Parameters
None
Description
Use the display arp timer aging command to display the aging time for dynamic ARP entries.
Related commands: arp timer aging.
Examples
# Display the aging time for dynamic ARP entries.
<Sysname> display arp timer aging
Current ARP aging time is 10 minute(s)
reset arp
Syntax
reset arp { all | dynamic | static | interface interface-type interface-number }
View
User view
Default Level
2: System level
Parameters
all: Clears all ARP entries.
dynamic: Clears all dynamic ARP entries.
static: Clears all static ARP entries.
interface interface-type interface-number: Clears the ARP entries for the interface specified by the argument interface-type interface-number.
Description
Use the reset arp command to clear ARP entries except authorized ARP entries from the ARP mapping table.
Related commands: arp static, display arp.
Examples
# Clear all static ARP entries.
<Sysname> reset arp static
Gratuitous ARP Configuration Commands
gratuitous-arp-sending enable
Syntax
gratuitous-arp-sending enable
undo gratuitous-arp-sending enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the gratuitous-arp-sending enable command to enable a device to send gratuitous ARP packets when receiving ARP requests from another network segment.
Use the undo gratuitous-arp-sending enable command to restore the default.
By default, a device cannot send gratuitous ARP packets when receiving ARP requests from another network segment.
Examples
# Disable a device from sending gratuitous ARP packets.
<Sysname> system-view
[Sysname] undo gratuitous-arp-sending enable
gratuitous-arp-learning enable
Syntax
gratuitous-arp-learning enable
undo gratuitous-arp-learning enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the gratuitous-arp-learning enable command to enable the gratuitous ARP packet learning function.
Use the undo gratuitous-arp-learning enable command to disable the function.
By default, the function is enabled.
With this function enabled, a device receiving a gratuitous ARP packet can add the source IP and MAC addresses carried in the packet to its own dynamic ARP table if it finds no ARP entry in the cache corresponding to the source IP address of the ARP packet exists; if the corresponding ARP entry exists in the cache, the device updates the ARP entry regardless of whether this function is enabled.
Examples
# Enable the gratuitous ARP packet learning function.
<Sysname> system-view
ARP Active Acknowledgement Configuration Commands
arp anti-attack active-ack enable
Syntax
arp anti-attack active-ack enable
undo arp anti-attack active-ack enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement function.
Use the undo arp anti-attack active-ack enable command to restore the default.
By default, the ARP active acknowledgement function is disabled.
Typically, this feature is configured on gateway devices to identify invalid ARP packets.
With this feature enabled, the gateway, upon receiving an ARP packet with a different source MAC address from that in the corresponding ARP entry, checks whether the ARP entry has been updated within the last minute:
l If yes, the ARP entry is not updated;
l If not, the gateway sends a unicast request to the source MAC address of the ARP entry.
Then,
l If a response is received within five seconds, the ARP packet is ignored;
l If no response is received, the gateway sends a unicast request to the source MAC address of the ARP packet.
Then,
l If a response is received within five seconds, the gateway updates the ARP entry;
l If not, the ARP entry is not updated.
Examples
# Enable the ARP active acknowledgement function.
<Sysname> system-view
[Sysname] arp anti-attack active-ack enable
Source MAC Address Based ARP Attack Detection Configuration Commands
arp anti-attack source-mac
Syntax
arp anti-attack source-mac { filter | monitor }
undo arp anti-attack source-mac [ filter | monitor ]
View
System view
Default Level
2: System level
Parameters
filter: Specifies the filter mode.
monitor: Specifies the monitor mode.
Description
Use the arp anti-attack source-mac command to enable source MAC address based ARP attack detection and specify the detection mode.
Use the undo arp anti-attack source-mac command to restore the default.
By default, source MAC address based ARP attack detection is disabled.
After you enable this feature, the device checks the source MAC address of ARP packets received from the VLAN. If the number of ARP packets received from a source MAC address within five seconds exceeds the specified threshold:
l In filter detection mode, the device displays an alarm and filters out the ARP packets from the MAC address.
l In monitor detection mode, the device only displays an alarm.
Note that: If no detection mode is specified in the undo arp anti-attack source-mac command, both detection modes are disabled.
Examples
# Enable filter-mode source MAC address based ARP attack detection
<Sysname> system-view
[Sysname] arp anti-attack source-mac filter
arp anti-attack source-mac aging-time
Syntax
arp anti-attack source-mac aging-time time
undo arp anti-attack source-mac aging-time
View
System view
Default Level
2: System level
Parameters
time: Aging timer for protected MAC addresses, in the range of 60 to 6000 seconds.
Description
Use the arp anti-attack source-mac aging-time command to configure the aging timer for protected MAC addresses.
Use the undo arp anti-attack source-mac aging-time command to restore the default.
By default, the aging timer for protected MAC addresses is 300 seconds (five minutes).
Examples
# Configure the aging timer for protected MAC addresses as 60 seconds.
<Sysname> system-view
[Sysname] arp anti-attack source-mac aging-time 60
arp anti-attack source-mac exclude-mac
Syntax
arp anti-attack source-mac exclude-mac mac-address&<1-10>
undo arp anti-attack source-mac exclude-mac [ mac-address&<1-10> ]
View
System view
Default Level
2: System level
Parameters
mac-address&<1-10>: MAC address list. The mac-address argument indicates a protected MAC address in the format H-H-H. &<1-10> indicates the number of protected MAC addresses that you can configure.
Description
Use the arp anti-attack source-mac exclude-mac command to configure protected MAC addresses which will be excluded from ARP packet detection.
Use the undo arp anti-attack source-mac exclude-mac command to remove the configured protected MAC addresses.
By default, no protected MAC address is configured.
Note that: If no MAC address is specified in the undo arp anti-attack source-mac exclude-mac command, all the configured protected MAC addresses are removed.
Examples
# Configure a protected MAC address.
<Sysname> system-view
[Sysname] arp anti-attack source-mac exclude-mac 2-2-2
arp anti-attack source-mac threshold
Syntax
arp anti-attack source-mac threshold threshold-value
undo arp anti-attack source-mac threshold
View
System view
Default Level
2: System level
Parameters
threshold-value: Threshold for source MAC address based ARP attack detection, in the range of 10 to 100.
Description
Use the arp anti-attack source-mac threshold command to configure the threshold for source MAC address based ARP attack detection. If the number of ARP packets sent from a MAC address within five seconds exceeds this threshold, the device considers this an attack.
Use the undo arp anti-attack source-mac threshold command to restore the default.
By default, the threshold for source MAC address based ARP attack detection is 50.
Examples
# Configure the threshold for source MAC address based ARP attack detection as 30.
<Sysname> system-view
[Sysname] arp anti-attack source-mac threshold 30
display arp anti-attack source-mac
Syntax
display arp anti-attack source-mac [ interface interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
Parameters
interface interface-type interface-number: Displays attacking MAC addresses detected on the interface.
Description
Use the display arp anti-attack source-mac command to display attacking MAC addresses detected by source MAC address based ARP attack detection.
If no interface is specified, the display arp anti-attack source-mac command displays attacking MAC addresses detected on all the interfaces.
Examples
# Display the attacking MAC addresses detected by source MAC address based ARP attack detection.
<Sysname> display arp anti-attack source-mac
Source-MAC VLAN ID Interface Aging-time
23f3-1122-3344 4094 GE1/0/1 10
23f3-1122-3355 4094 GE1/0/2 30
23f3-1122-33ff 4094 GE1/0/3 25
23f3-1122-33ad 4094 GE1/0/4 30
23f3-1122-33ce 4094 GE1/0/5 2
ARP Packet Rate Limit Configuration Commands
arp rate-limit
Syntax
arp rate-limit { disable | rate pps drop }
undo arp rate-limit
View
Layer 2 Ethernet interface view, Layer 2 aggregate interface view
Default Level
2: System level
Parameters
disable: Disables ARP packet rate limit.
rate pps: ARP packet rate in pps, in the range 5 to 100.
drop: Discards the exceeded packets.
Description
Use the arp rate-limit command to configure or disable ARP packet rate limit on an interface.
Use the undo arp rate-limit command to restore the default.
By default, ARP packet rate limit is not enabled.
Examples
# Specify the ARP packet rate on GigabitEthernet1/0/1 as 50 pps, and exceeded packets will be discarded.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp rate-limit rate 50 drop
ARP Detection Configuration Commands
arp detection enable
Syntax
arp detection enable
undo arp detection enable
View
VLAN view
Default Level
2: System level
Parameters
None
Description
Use the arp detection enable command to enable ARP detection for the VLAN.
Use the undo arp detection enable command to disable ARP detection for the VLAN.
By default, ARP detection is disabled for a VLAN.
Examples
# Enable ARP detection for VLAN 1.
<Sysname> system-view
[Sysname] vlan 1
[Sysname-Vlan1] arp detection enable
arp detection mode
Syntax
arp detection mode { dhcp-snooping | dot1x | static-bind }
undo arp detection mode { dhcp-snooping | dot1x | static-bind }
View
System view
Default Level
2: System level
Parameters
dhcp-snooping: Implements ARP attack detection based on DHCP snooping entries. This mode is mainly used to prevent source address spoofing attacks.
dot1x: Implements ARP attack detection based on 802.1X security entries. This mode is mainly used to prevent source address spoofing attacks.
static-bind: Implements ARP attack detection based on static IP-to-MAC binding entries. This mode is mainly used to prevent gateway spoofing attacks.
Description
Use the arp detection mode command to specify an ARP attack detection mode.
Use the undo arp detection mode command to cancel the specified ARP detection mode.
By default, no ARP detection mode is specified, that is, all packets are considered to be invalid.
Note that, if you specify the three modes at the same time, the system uses static IP-to-MAC bindings first, then DHCP snooping entries, and then 802.1X security entries.
Examples
# Enable ARP detection based on both DHCP snooping entries and 802.1X security entries.
<Sysname> system-view
[Sysname] arp detection mode dhcp-snooping
[Sysname] arp detection mode dot1x
arp detection static-bind
Syntax
arp detection static-bind ip-address mac-address
undo arp detection static-bind [ ip-address ]
View
System view
Default Level
2: System level
Parameters
ip-address: IP address of the static binding.
mac-address: MAC address of the static binding, in the format of H-H-H.
Description
Use the arp detection static-bind command to configure a static IP-to-MAC binding.
Use the undo arp detection static-bind command to remove the configure static binding.
By default, no static IP-to-MAC binding is configured.
With ARP detection based on static IP-to-MAC bindings configured, the device, upon receiving an ARP packet from an ARP trusted/untrusted port, compares the source IP and MAC addresses of the ARP packet against the static IP-to-MAC bindings.
l If an entry with a matching IP address but different MAC address is found, the ARP packet is considered invalid and discarded.
l If an entry with both matching IP and MAC addresses is found, the ARP packet is considered valid and can pass the detection.
l If no match is found, the ARP packet is considered valid and can pass the detection.
Note that: If no IP address is specified in the undo arp detection static-bind command, all configured static IP-to-MAC bindings are removed.
Examples
# Configure a static IP-to-MAC binding.
<Sysname> system-view
[Sysname] arp detection static-bind 192.168.1.2 2-1-201
arp detection trust
Syntax
arp detection trust
undo arp detection trust
View
Layer 2 Ethernet interface view, Layer 2 aggregate interface view
Default Level
2: System level
Parameters
None
Description
Use the arp detection trust command to configure the port as an ARP trusted port.
Use the undo arp detection trust command to configure the port as an ARP untrusted port.
By default, the port is an ARP untrusted port.
Examples
# Configure GigabitEthernet1/0/1 as an ARP trusted port.
<Sysname> system-view
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1] arp detection trust
arp detection validate
Syntax
arp detection validate { dst-mac | ip | src-mac } *
undo arp detection validate [ dst-mac | ip | src-mac ] *
View
System view
Default Level
2: System level
Parameters
dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.
ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests will be checked.
src-mac: Checks whether the source MAC address of an ARP packet is identical to that in its Ethernet header. If they are identical, the packet is considered valid; otherwise, the packet is discarded.
Description
Use the arp detection validate command to configure ARP detection based on specified objects. You can specify one or more objects in one command line.
Use the undo arp detection validate command to remove detected objects. If no keyword is specified, all the detected objects are removed.
By default, ARP detection based on specified objects is disabled.
Examples
# Enable the checking of the MAC addresses and IP addresses of ARP packets.
<Sysname> system-view
[Sysname] arp detection validate dst-mac src-mac ip
display arp detection
Syntax
display arp detection
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display arp detection command to display the VLAN(s) enabled with ARP detection.
Related commands: arp detection enable.
Examples
# Display the VLANs enabled with ARP detection.
<Sysname> display arp detection
ARP detection is enabled in the following VLANs:
1, 2, 4-5
Table 2-1 display arp detection command output description
|
Field |
Description |
|
ARP detection is enabled in the following VLANs |
VLANs that are enabled with ARP detection |
display arp detection statistics
Syntax
display arp detection statistics [ interface interface-type interface-number ]
View
Any view
Default Level
1: Monitor level
Parameters
interface interface-type interface-number: Displays the ARP detection statistics of a specified interface.
Description
Use the display arp detection statistics command to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed.
Examples
# Display the ARP detection statistics of all the interfaces.
<Sysname> display arp detection statistics
State: U-Untrusted T-Trusted
ARP packets dropped by ARP inspect checking:
Interface(State) IP Src-MAC Dst-MAC Inspect
BAGG1(U) 0 0 0 0
GE1/0/1(T) 0 0 0 0
GE1/0/2(U) 0 0 0 0
GE1/0/3(U) 0 0 0 0
GE1/0/4(U) 0 0 0 0
GE1/0/5(U) 0 0 0 0
GE1/0/6(U) 0 0 0 0
Table 2-2 display arp detection statistics command output description
|
Field |
Description |
|
Interface(State) |
State T or U identifies a trusted or untrusted port. |
|
IP |
Number of ARP packets discarded due to invalid source and destination IP addresses |
|
Src-MAC |
Number of ARP packets discarded due to invalid source MAC address |
|
Dst-MAC |
Number of ARP packets discarded due to invalid destination MAC address |
|
Inspect |
Number of ARP packets that failed to pass ARP detection (based on DHCP snooping entries/802.1X security entries/static IP-to-MAC bindings) |
reset arp detection statistics
Syntax
reset arp detection statistics [ interface interface-type interface-number ]
View
User view
Default Level
2: System level
Parameters
interface interface-type interface-number: Clears the ARP detection statistics of a specified interface.
Description
Use the reset arp detection statistics command to clear ARP detection statistics of a specified interface. If no interface is specified, the statistics of all the interfaces will be cleared.
Examples
# Clear the ARP detection statistics of all the interfaces.
<Sysname> reset arp detection statistics
Periodic Sending of Gratuitous ARP Packets Configuration Commands
arp anti-attack send-gratuitous-arp
Syntax
arp anti-attack send-gratuitous-arp [ interval milliseconds ]
undo arp anti-attack send-gratuitous-arp
View
VLAN interface view
Default Level
2: System level
Parameters
interval milliseconds: Sets the interval at which gratuitous ARP packets are sent. The value ranges 200 to 5000, in milliseconds. The default value is 2000 ms.
Description
Use the arp anti-attack send-gratuitous-arp command to enable periodic sending of gratuitous ARP packets and set the sending interval.
Use the undo arp anti-attack send-gratuitous-arp command to disable the device from periodically sending gratuitous ARP packets.
By default, the device is disabled from sending gratuitous ARP packets periodically.
Note that:
l This function takes effect only when the link of the interface goes up and an IP address has been assigned to the interface.
l If you change the interval of sending ARP packets, the configuration is effective at the next sending interval.
Examples
# Enable VLAN-interface 2 to send gratuitous ARP packets every 300 ms.
<Sysname> system-view
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] arp anti-attack send-gratuitous-arp 300
