Login
| Title | Size | Downloads |
|---|---|---|
| H3C S3100 Series Ethernet Switches Command Manual-Release 22XX Series(V1.00)-ARP and IP Attack Defense Commands.pdf | 51.22 KB |
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 41-ARP and IP Attack Defense Commands | 51.22 KB |
Table of Contents
1 ARP and IP Attack Defense Configuration Commands
ARP and IP Attack Defense Configuration Commands
arp anti-attack valid-check enable
1 ARP and IP Attack Defense Configuration Commands
ARP and IP Attack Defense Configuration Commands
arp anti-attack valid-check enable
Syntax
arp anti-attack valid-check enable
undo arp anti-attack valid-check enable
View
System view
Parameters
None
Description
Use the arp anti-attack valid-check enable command to enable ARP source MAC address consistency check.
Use the undo arp anti-attack valid-check enable command to disable this function.
By default, ARP source MAC address consistency check is disabled.
Examples
# Enable ARP source MAC address consistency check.
[sysname] arp anti-attack valid-check enable
arp filter source
Syntax
arp filter source ip-address
undo arp filter source
View
Ethernet port view
Parameters
ip-address: IP address of the gateway.
Description
Use the arp filter source command to configure ARP packet filtering based on the gateway’s IP address on the current port. After that, ARP packets with the gateway’s IP address as the sender IP address are considered invalid and discarded.
Use the undo arp filter source command to remove the configuration.
By default, ARP packet filtering based on the gateway’s IP address is disabled.
Note that:
l This command should be configured on a port directly connected to hosts.
l If you execute this command repeatedly, the last configured command takes effect.
l Among S3100 series switches, only S3100-EI series switches support the two commands.
Examples
# Configure ARP packet filtering based on the gateway’s IP address 192.168.0.1/24 on Ethernet 1/0/1.
[sysname] interface Ethernet1/0/1
[sysname-Ethernet1/0/1] arp filter source 192.168.0.1
arp filter binding
Syntax
arp filter binding ip-address mac-address
undo arp filter binding
View
Ethernet port view
Parameters
ip-address: IP address of the gateway.
mac-address: MAC address of the gateway.
Description
Use the arp filter binding command to configure ARP packet filtering based on the gateway’s IP and MAC addresses on the current port. After that, the port will discard ARP packets with the gateway’s IP address as the sender IP address but with the sender MAC address different from that of the gateway.
Use the undo arp filter binding command to remove the configuration.
By default, ARP packet filtering based on the gateway’s IP and MAC addresses are disabled.
Note that:
l This command should be configured on a cascaded port or upstream port of an access switch.
l If you execute this command repeatedly, the last configured command takes effect.
l Among S3100 series switches, only S3100-EI series switches support the two commands.
Examples
# Configure ARP packet filtering based on the gateway’s IP address 192.168.100.1/24 and MAC address 000d-88f8-528c on Ethernet 1/0/2.
[sysname] interface Ethernet1/0/2
[sysname-Ethernet1/0/2] arp filter binding 192.168.100.1 000d-88f8-528c
arp max-learning-num
Syntax
arp max-learning-num number
undo arp max-learning-num
View
VLAN interface view
Parameters
number: Maximum number of dynamic ARP entries that can be learned by the interface. it ranges from 1 to 256.
Description
Use the arp max-learning-num command to configure the maximum number of dynamic ARP entries that can be learned by the current VLAN interface.
Use the undo arp max-learning-num command to remove the configuration.
By default, the maximum number of dynamic ARP entries that can be learned by a VLAN interface is not configured.
Note that:
l If you execute this command repeatedly, the last configured command takes effect.
l Among S3100 series switches, only S3100-EI series switches support the two commands.
Examples
# Configure the maximum number of dynamic ARP entries that can be learned by VLAN-interface 40 as 50.
<sysname> system-view
[sysname] interface vlan-interface 40
[sysname-Vlan-interface40] arp max-learning-num 50
ip source static import dot1x
Syntax
ip source static import dot1x
undo ip source static import dot1x
View
System view
Parameters
None
Description
Use the undo ip source static import dot1x command to disable the function.
By default, this function is disabled.
Note that:
l This command should be used in cooperation with the arp detection enable command.
l Among S3100 series switches, only S3100-EI series switches support the two commands.
Examples
# Enable the switch to record IP-MAC bindings of authenticated 802.1x clients.
[sysname] ip source static import dot1x
ip check dot1x enable
Syntax
ip check dot1x enable
undo ip check dot1x enable
View
Ethernet port view
Parameters
None
Description
Use the undo ip check dot1x enable command to disable the function.
By default, IP filtering based on IP-MAC bindings of authenticated 802.1x clients is disabled.
Note that:
l The ip check dot1x enable and the ip check source ip-address mac-address commands are mutually exclusive.
l Among S3100 series switches, only S3100-EI series switches support the two commands.
Examples
# Enable IP filtering based on IP-MAC bindings of authenticated 802.1x clients on Ethernet 1/0/2.
<sysname> system-view
[sysname] interface ethernet1/0/2
[sysname-Ethernet1/0/2] ip check dot1x enable