limit-value: Specifies the maximum number of packets with the same source IP address and unresolvable destination IP addresses that the switch can receive in five seconds. The value ranges from 2 to 1024.

Description

Use the arp source-suppression limit command to set the maximum number of packets with the same source IP address and unresolvable destination IP addresses that the switch can receive in five seconds.

Use the undo arp source-suppression limit command to restore the default value, which is 10.

With this feature configured, if the number of packets with unresolvable destination IP addresses sent from a host within five seconds exceeds the specified threshold, the switch stops the sending host from triggering any ARP requests within the following five seconds.

Related commands: display arp source-suppression.

Examples

# Set the maximum number of packets with the same source address and unresolvable destination IP addresses that the switch can receive in five seconds to 100.

<Sysname> system-view

[Sysname] arp source-suppression limit 100

display arp source-suppression

Syntax

display arp source-suppression [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display arp source-suppression command to display information about the current ARP source suppression configuration.

Examples

# Display information about the current ARP source suppression configuration.

<Sysname> display arp source-suppression

ARP source suppression is enabled

Current suppression limit: 100

Current cache length: 16

Table 1 Output description

Field	Description
ARP source suppression is enabled	The ARP source suppression function is enabled.
Current suppression limit	Maximum number of packets with the same source IP address but unresolvable destination IP addresses that the switch can receive in five seconds
Current cache length	Size of cache used to record source suppression information

ARP packet rate limit configuration commands

arp rate-limit

Syntax

arp rate-limit { disable | rate pps drop }

undo arp rate-limit

View

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Default level

2: System level

Parameters

disable: Disables ARP packet rate limit.

rate pps: ARP packet rate, in the range of 10 to 5000 pps.

drop: Discards the exceeded packets.

Description

Use the arp rate-limit command to configure or disable ARP packet rate limit on an interface.

Use the undo arp rate-limit command to restore the default.

By default, ARP packet rate limit is disabled.

Examples

# Specify the ARP packet rate on GigabitEthernet 3/0/1 as 30 pps, and exceeded packets will be discarded.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] arp rate-limit rate 30 drop

Source MAC address based ARP attack detection configuration commands

arp anti-attack source-mac

Syntax

arp anti-attack source-mac { filter | monitor }

undo arp anti-attack source-mac [ filter | monitor ]

View

System view

Default level

2: System level

Parameters

filter: Specifies the filter mode.

monitor: Specifies the monitor mode.

Description

Use the arp anti-attack source-mac command to enable source MAC address based ARP attack detection and specify the detection mode.

Use the undo arp anti-attack source-mac command to restore the default.

By default, source MAC address based ARP attack detection is disabled.

After you enable this feature, the switch checks the source MAC address of ARP packets received from the VLAN. If the number of ARP packets received from a source MAC address within five seconds exceeds the specified threshold:

· In filter detection mode, the switch displays a log message and filters out the ARP packets from the MAC address.

· In monitor detection mode, the switch only displays a log message.

If no detection mode is specified in the undo arp anti-attack source-mac command, both detection modes are disabled.

Examples

# Enable filter-mode source MAC address based ARP attack detection

<Sysname> system-view

[Sysname] arp anti-attack source-mac filter

arp anti-attack source-mac aging-time

Syntax

arp anti-attack source-mac aging-time time

undo arp anti-attack source-mac aging-time

View

System view

Default level

2: System level

Parameters

time: Age timer for protected MAC addresses, in the range of 60 to 6000 seconds.

Description

Use the arp anti-attack source-mac aging-time command to configure the age timer for protected MAC addresses.

Use the undo arp anti-attack source-mac aging-time command to restore the default.

By default, the age timer for protected MAC addresses is 300 seconds (five minutes).

Examples

# Configure the age timer for protected MAC addresses as 60 seconds.

<Sysname> system-view

[Sysname] arp anti-attack source-mac aging-time 60

arp anti-attack source-mac exclude-mac

Syntax

arp anti-attack source-mac exclude-mac mac-address&<1-n>

undo arp anti-attack source-mac exclude-mac [ mac-address&<1-n> ]

View

System view

Default level

2: System level

Parameters

mac-address&<1-n>: MAC address list. The mac-address argument indicates a protected MAC address in the format H-H-H. The maximum value of the n argument is 64. &<1-64> indicates that you can configure up to 64 protected MAC addresses at a time.

Description

Use the arp anti-attack source-mac exclude-mac command to configure protected MAC addresses which will be excluded from ARP packet detection.

Use the undo arp anti-attack source-mac exclude-mac command to remove the configured protected MAC addresses.

By default, no protected MAC address is configured.

If no MAC address is specified in the undo arp anti-attack source-mac exclude-mac command, all the configured protected MAC addresses are removed.

Examples

# Configure a protected MAC address.

<Sysname> system-view

[Sysname] arp anti-attack source-mac exclude-mac 2-2-2

arp anti-attack source-mac threshold

Syntax

arp anti-attack source-mac threshold threshold-value

undo arp anti-attack source-mac threshold

View

System view

Default level

2: System level

Parameters

threshold-value: Threshold for source MAC address based ARP attack detection, in the range of 25 to 1500. The default value is 150.

Description

Use the arp anti-attack source-mac threshold command to configure the threshold for source MAC address based ARP attack detection. If the number of ARP packets sent from a MAC address within five seconds exceeds this threshold, the switch recognizes this as an attack.

Use the undo arp anti-attack source-mac threshold command to restore the default.

Examples

# Configure the threshold for source MAC address based ARP attack detection as 30.

<Sysname> system-view

[Sysname] arp anti-attack source-mac threshold 30

display arp anti-attack source-mac

Syntax

Standalone mode:

display arp anti-attack source-mac { slot slot-number | interface interface-type interface-number } [ | { begin | exclude | include } regular-expression ]

IRF mode:

display arp anti-attack source-mac { chassis chassis-number slot slot-number | interface interface-type interface number } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Displays attacking MAC addresses detected on the interface.

slot slot-number: Displays attacking MAC addresses detected on the interface card specified by the slot number. Use this option when your switch is operating in standalone mode.

chassis chassis-number slot slot-number: Displays attacking MAC addresses detected on a card of an IRF member switch. The chassis-number argument refers to the ID of the IRF member switch. The slot-number argument refers to the number of the slot where the card resides. You can display the member ID and slot number with the display device command. Use this option when your switch is operating in IRF mode.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display arp anti-attack source-mac command to display attacking MAC addresses detected by source MAC address based ARP attack detection.

Examples

# Display the attacking MAC addresses detected by source MAC address based ARP attack detection (standalone mode).

<Sysname> display arp anti-attack source-mac slot 3

Source-MAC VLAN-ID Interface Aging-time

23f3-1122-3344 4094 GE3/0/2 10

23f3-1122-3355 4094 GE3/0/3 30

23f3-1122-33ff 4094 GE3/0/4 25

23f3-1122-33ad 4094 GE3/0/5 30

23f3-1122-33ce 4094 GE3/0/6 2

# Display the attacking MAC addresses detected by source MAC address based ARP attack detection (IRF mode).

<Sysname> display arp anti-attack source-mac chassis 1 slot 3

Source-MAC VLAN ID Interface Aging-time

23f3-1122-3344 4094 GE1/3/0/2 10

23f3-1122-3355 4094 GE1/3/0/3 30

23f3-1122-33ff 4094 GE1/3/0/4 25

23f3-1122-33ad 4094 GE1/3/0/5 30

23f3-1122-33ce 4094 GE1/3/0/6 2

ARP packet source mac address consistency check configuration commands

arp anti-attack valid-check enable

Syntax

arp anti-attack valid-check enable

undo arp anti-attack valid-check enable

View

System view

Default level

2: System level

Parameters

None

Description

Use the arp anti-attack valid-check enable command to enable ARP packet source MAC address consistency check on the gateway. After you execute this command, the gateway device can filter out ARP packets with the source MAC address in the Ethernet header different from the sender MAC address in the ARP message.

Use the undo arp anti-attack valid-check enable command to restore the default.

By default, ARP packet source MAC address consistency check is disabled.

Examples

# Enable ARP packet source MAC address consistency check.

<Sysname> system-view

[Sysname] arp anti-attack valid-check enable

ARP active acknowledgement configuration commands

arp anti-attack active-ack enable

Syntax

arp anti-attack active-ack enable

undo arp anti-attack active-ack enable

View

System view

Default level

2: System level

Parameters

None

Description

Use the arp anti-attack active-ack enable command to enable the ARP active acknowledgement function.

Use the undo arp anti-attack active-ack enable command to restore the default.

By default, the ARP active acknowledgement function is disabled.

This feature is configured on gateway devices to identify invalid ARP packets.

Examples

# Enable the ARP active acknowledgement function.

<Sysname> system-view

[Sysname] arp anti-attack active-ack enable

Authorized ARP configuration commands

NOTE:

This feature is supported on Layer 3 Ethernet interfaces only. For more information about the working modes of Ethernet interfaces, see Interface Configuration Guide.

arp authorized enable

Syntax

arp authorized enable

undo arp authorized enable

View

Layer 3 Ethernet interface view

Default level

2: System level

Parameters

None

Description

Use the arp authorized enable command to enable authorized ARP on an interface.

Use the undo arp authorized enable command to restore the default.

By default, authorized ARP is not enabled on the interface.

Examples

# Enable authorized ARP on GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] port link-mode route

[Sysname-GigabitEthernet3/0/1] arp authorized enable

ARP detection configuration commands

arp detection enable

Syntax

arp detection enable

undo arp detection enable

View

VLAN view

Default level

2: System level

Parameters

None

Description

Use the arp detection enable command to enable ARP detection for the VLAN.

Use the undo arp detection enable command to restore the default.

By default, ARP detection is disabled for a VLAN.

Examples

# Enable ARP detection for VLAN 1.

<Sysname> system-view

[Sysname] vlan 1

[Sysname-Vlan1] arp detection enable

arp detection trust

Syntax

arp detection trust

undo arp detection trust

View

Layer 2 Ethernet interface view, Layer 2 aggregate interface view

Default level

2: System level

Parameters

None

Description

Use the arp detection trust command to configure the port as an ARP trusted port.

Use the undo arp detection trust command to restore the default.

By default, the port is an ARP untrusted port.

Examples

# Configure GigabitEthernet 3/0/1 as an ARP trusted port.

<Sysname> system-view

[Sysname] interface GigabitEthernet 3/0/1

[Sysname-GigabitEthernet3/0/1] arp detection trust

arp detection validate

Syntax

arp detection validate { dst-mac | ip | src-mac } *

undo arp detection validate [ dst-mac | ip | src-mac ] *

View

System view

Default level

2: System level

Parameters

dst-mac: Checks the target MAC address of ARP responses. If the target MAC address is all-zero, all-one, or inconsistent with the destination MAC address in the Ethernet header, the packet is considered invalid and discarded.

ip: Checks the source and destination IP addresses of ARP packets. The all-zero, all-one or multicast IP addresses are considered invalid and the corresponding packets are discarded. With this keyword specified, the source and destination IP addresses of ARP replies, and the source IP address of ARP requests will be checked.

src-mac: Checks whether the sender MAC address of an ARP packet is identical to the source MAC address in the Ethernet header. If they are identical, the packet is considered valid; otherwise, the packet is discarded.

Description

Use the arp detection validate command to configure ARP detection based on specified objects. You can specify one or more objects in one command line.

Use the undo arp detection validate command to remove detected objects. If no keyword is specified, all the detected objects are removed.

Examples

# Enable the checking of the MAC addresses and IP addresses of ARP packets.

<Sysname> system-view

[Sysname] arp detection validate dst-mac src-mac ip

arp restricted-forwarding enable

Syntax

arp restricted-forwarding enable

undo arp restricted-forwarding enable

View

VLAN view

Default level

2: System level

Parameters

None

Description

Use the arp restricted-forwarding enable command to enable ARP restricted forwarding.

Use the undo arp restricted-forwarding enable command to disable ARP restricted forwarding.

By default, ARP restricted forwarding is disabled.

Examples

# Enable ARP restricted forwarding in VLAN 100.

<Sysname> system-view

[Sysname] vlan 100

[Sysname-vlan100] arp restricted-forwarding enable

display arp detection

Syntax

display arp detection [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display arp detection command to display the VLAN(s) enabled with ARP detection.

Related commands: arp detection enable.

Examples

# Display the VLANs enabled with ARP detection.

<Sysname> display arp detection

ARP detection is enabled in the following VLANs:

1, 2, 4-5

Table 2 Output description

Field	Description
ARP detection is enabled in the following VLANs	VLANs that are enabled with ARP detection

display arp detection statistics

Syntax

display arp detection statistics [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Displays the ARP detection statistics of a specified interface.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display arp detection statistics command to display statistics about ARP detection. This command only displays numbers of discarded packets. If no interface is specified, the statistics of all the interfaces will be displayed.

Examples

# Display the ARP detection statistics of all the interfaces.

<Sysname> display arp detection statistics

State: U-Untrusted T-Trusted

ARP packets dropped by ARP inspect checking:

Interface(State) IP Src-MAC Dst-MAC Inspect

GE3/0/1(U) 0 0 0 0

GE3/0/2(U) 40 0 0 78

GE3/0/3(U) 0 0 0 0

GE3/0/4(T) 0 0 0 0

Table 3 Output description

Field	Description
Interface(State)	State T or U identifies a trusted or untrusted port.
IP	Number of ARP packets discarded due to invalid source and destination IP addresses
Src-MAC	Number of ARP packets discarded due to invalid source MAC address
Dst-MAC	Number of ARP packets discarded due to invalid destination MAC address
Inspect	Number of ARP packets that failed to pass ARP detection (based on static IP Source Guard binding entries/DHCP snooping entries/802.1X security entries/OUI MAC addresses)

reset arp detection statistics

Syntax

reset arp detection statistics [ interface interface-type interface-number ]

View

User view

Default level

1: Monitor level

Parameters

interface interface-type interface-number: Clears the ARP detection statistics of a specified interface.

Description

Use the reset arp detection statistics command to clear ARP detection statistics of a specified interface. If no interface is specified, the statistics of all the interfaces will be cleared.

Examples

# Clear the ARP detection statistics of all the interfaces.

<Sysname> reset arp detection statistics

11-Security Command Reference

display arp source-suppression

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us